Page 35 - Cyber Warnings
P. 35
cloud providers, and a subset of requirements for comparatively lower risk third party cloud
providers. Each organization will need to determine what “high” risk third party cloud providers
mean within the type and size of the organization.
Some appropriate factors in determining a cloud provider’s tier are as follows:
Data classification: Higher data classifications indicate an organization’s perceived risk
and merit more complete security controls.
Regulated/unregulated data: Highly regulated data will require more due diligence
from a third party and your organization.
Industry requirement compliance: If data is covered under Payment Card Industry
requirements (PCI-DSS) or other requirements, substantial financial penalties could
result from non-compliance.
Record volume: Larger data sets may be more attractive to a particular threat source.
Location of cloud services: Location may present reliability concerns or impact
privacy/data localization compliance.
Control deviation rating: When assessing potential third party cloud providers during
an RFI or RFP process, a rating of potential compliance to internal organizational
security controls may predict future compliance.
Industry certifications: Industry certifications applying to the scope of services
provided often illustrate security maturity (or lack thereof), and reputable cloud providers
often have one more of the following: ISO-27001 certification, PCI-DSS attestation of
compliance (AOC), or SSAE16 assessments.
Security Addendum Language
Using standard language for cloud service agreements enables an organization to effectively
manage and track deviations from standard security and privacy practices.
Security Controls
Because cloud providers often are responsible for services, infrastructure, or support affecting
an organization’s data, security control language clarifies specific expectations to third party
cloud providers.
Identity and access management: Identity and access security gaps pose the most risk to
organizations using cloud services. Terms should establish expectations for access
provisioning, change of roles, and termination; least user access; unique identity per user;
and multi-factor authentication for administrative access (such as 2FA). Cloud Access
Security Brokers (CASB) plans should be included in your statement of work.
Encryption: Large data volumes and sensitive data hosted at cloud providers require
specific terms for encrypting data in transmission over a public connection and at rest
(including server storage, cache, and other often overlooked storage mechanisms).
Appropriate protocols specified (or not specified) should be dependent on an individual
organization’s policies, standards, procedures, and configuration baselines. While many
35 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide