Information Technology Reference
In-Depth Information
TABLE 19.1
Security Risk Areas When Selecting a Potential Public Cloud Provider
Issue
Questions for Potential Public Cloud Providers
Architecture
Is the provider's security architecture available for scrutiny?
What is the architecture for access management?
Risk assessment
Do you utilize an independent authority to assess and monitor
security risks?
Legislation, compliance,
and governance
What controls do you have in place to ensure that domain-
specific legislation is complied with?
Information location
Where will the information reside?
Segregation
Will the applications/tools be shared with other tenants? Which
application/tools will be shared?
Service level
What service level is to be guaranteed and what measures are in
place for access to data during downtime? What is the scope of
any penalties for downtime/loss of access?
Portability
What standards are employed to guarantee data/application/
tools/process portability?
Physical security
To what standard is physical security provided?
Management tools
How are software updates and patches managed to minimize
service disruption? What monitoring tools are provided?
Perimeter security
What controls are in place for firewalls and the management of
Virtual Private Network (VPN) access?
Encryption
What standards for encryption are in place? How are public
keys managed? How is single sign-on (SSO) implemented?
here is to establish where the boundary of trust exists between the consumer
and the provider; this needs to be established up front to prevent costly con-
fusion in the future. Table 19.1 illustrates some pertinent issues to raise with
a potential cloud provider.
19.7.1 Requisite Certifications
It is evident that to stand any chance of successfully evaluating a cloud offer-
ing requires considerable expertise. Arguably, the expertise can only be
acquired by undertaking the provision of cloud services itself. The nature of
IT is that it is a domain that is constantly faced with newly emerging tech-
nologies, approaches, and models, and therefore it is not atypical to be faced
with the business case driving a fundamental change, without fully compre-
hending the impact that this change is likely to make.
The normal response from the IT industry is to create a body of indus-
trial partners, many of whom will have a vested interest in the products that
are on offer (it's usually a technology for sale). Industrial parties are joined
by representatives from government or trade bodies and sometimes from
regulatory agencies. Once formed, the body works toward a standard that
can be used to harmonize the approaches taken toward the adoption of the
Search WWH ::
Custom Search