When migrating to the cloud and selecting a service provider, one of the most important factors to consider is security. You will be sharing and/or storing your company's data with the chosen service provider.
You need to be confident that your data is secure. There are countless security factors to consider, from shared responsibility to whether the provider's security standards are up to par. This can be a daunting process, especially if you are not a security expert.
When moving to a cloud service, a key element of security is the protection of data in transit between you (the end user) and the provider. This is a dual responsibility for both you and the provider. You will need network protection to prevent data interception and encryption to prevent an attacker from reading any data in the event it is intercepted.
Look for a service provider that offers you a set of tools to help you easily encrypt your data in transit and at rest. This will ensure the same level of protection for any internal data transit within the cloud service provider or the transit between the cloud service provider and other services where APIs may be exposed.
When selecting a cloud service provider, it is necessary to understand the physical location where data is stored, processed, and managed. This is especially important following the implementation of government and industry regulations such as GDPR.
To ensure your assets are protected, a good provider will have advanced physical protection at their data center to defend your data from unauthorized access. They will also ensure that your data assets are erased before resources are replenished or disposed of to prevent them from falling into the wrong hands.
A key factor in security is the ability to see and control your data. A good service provider will offer you a solution that gives you full visibility of your data and who is accessing it, regardless of where it is and where you are.
Your provider should offer activity monitoring so you can discover configuration and security changes across your ecosystem, as well as support the integration of new and existing solutions for compliance.
To ensure cloud deployment, you will need more than one solution or partner. A good cloud service provider will make it easy for you to find and connect with different partners and solutions through a marketplace.
Look for a provider with a marketplace that offers a curated network of trusted partners with a proven security track record. The marketplace should also offer security solutions that provide one-click deployment and are complementary to securing your data, whether you operate in a public, private, or hybrid cloud deployment.
A good cloud service provider will offer tools that allow for secure user management. This will help prevent unauthorized access to management interfaces and procedures to ensure applications, data, and resources are not compromised.
The cloud provider should also offer functionality to implement security protocols that separate users and prevent any malicious (or compromised) user from affecting another's services and data.
When considering a cloud service provider, security and compliance go hand in hand. They must meet global compliance requirements validated by a third-party organization. You want a cloud service provider that follows industry best practices in Cloud Security and ideally has recognized certification.
The Cloud Security Alliance’s Security, Trust, Assurance, and Risk (STAR) Registry program is a good indicator. Additionally, if you operate in a highly regulated industry – where HIPAA, PCI-DSS, and GDPR may apply – you will also need to identify a provider with specific industry certification.
To ensure your compliance efforts are cost-effective and efficient, the cloud service provider should offer you the ability to inherit their security controls into your own compliance and certification programs.
The cloud provider must ensure that access to any service interface is limited only to authorized and authenticated individuals. When it comes to providers, you want a service that offers identity and authentication features, including username and password, two-factor authentication, TLS client certificates, and identity federation with your existing identity provider.
You also want the ability to restrict access to a dedicated line, company, or community network. A good provider only delivers authentication through secure channels – such as HTTPS – to prevent interception. Be sure to avoid services with weak authentication practices. This will expose your systems to unauthorized access, leading to data theft, changes to your service, or a denial of service. Also, avoid authentication via email, HTTP, or phone.
These are extremely vulnerable to social engineering and the interception of identity and authentication credentials.
When selecting a cloud service, look for a provider that implements strong operational security to detect and prevent attacks. This should cover four basic elements:
👉 There will be a clear contact route to report any incidents, with an acceptable time frame and format.
You need a cloud service provider whose personnel you can trust, as they will have access to your systems and data. The cloud service provider you choose will have a rigorous and transparent security screening process.
They should be able to verify the identity of their personnel, their right to work, and check for any pending criminal convictions. Ideally, they adhere to locally established screening standards in their countries, such as BS 7858:2019 for the UK or completing the I-9 form in the U.S..
In addition to screening, you need a service provider that ensures their personnel understand their inherent security responsibilities and undergo regular training. They should also have a policy to minimize the number of people who have access to and can affect your services.
You can choose a cloud provider with cutting-edge security and still experience a breach through misuse of the service. It is important to understand where security responsibilities lie when using the service. Your level of responsibility will be influenced by your cloud deployment model, how you use any service, and the built-in features of any individual service.
For example, you have significant security responsibilities with IaaS. When deploying a computing instance, the responsibility would fall on you to install a modern operating system, configure security, and ensure ongoing patches and maintenance. The same is true for any application deployed on that instance. Therefore, ensure you understand the security requirements of the chosen service and the available security configuration options. Also, ensure you educate your personnel on the secure use of your chosen services.