This best practice might seem obvious, but it can never be over-emphasized. Here are the five must-dos of Cloud Computing security…
- Evaluate Cloud service providers’ security with these questions:
- What access control model do you use? Who chooses the authoritative sources of access control policy and user profile information — you, or us, or a third party?
- Do you support retrieval of access control policies and user profile information from external sources? If so, via what formats and transmission mechanisms?
- Where do our accounts reside? How are they provisioned and deprovisioned? How do you protect the integrity of my data?
- What authentication mechanisms do you support? (These should be appropriate for the sensitivity of the data use.) Do you support federated authentication or single sign-on model(s)?
- What support do you provide for delegated administration by policy administration services?
- What log information do you provide? Can it be imported into our operational analysis and reporting tools?
- Can we specify external entities with whom to share information? If so, how is that accomplished?
- When using cloud computing services , pay attention to user authentication
- Define and enforce strong password policies.
- Match authentication options to the risk level of the Cloud services being used — and authenticate all users with at least a username and password.
- Require enterprise administration capabilities for all supported authentication methods, especially the administration of privileged users.
- Use self-service password reset functions first to validate identities.
- Consider using federated authentication (you authenticate your users locally, then pass some type of token to the Cloud service granting access for that user).
- Perform a thorough evaluation of your own IT security so you understand your infrastructure and application vulnerabilities and are sure that all security controls are in place and operating properly.
- Develop a risk mitigation plan and document it so you can quickly deal with any issues that arise — and so you know how to train employees about risks and how to respond to them.
- Monitor Cloud service performance rigorously; this is how you and your Cloud provider will recognize any security threats early and deal with them quickly.
Next time: Cloud Computing best practice #2.