Security responsibilities of both the provider and the consumer greatly differ between cloud service models. Amazon’s AWS EC2 infrastructure as a service offering, as an example, includes vendor responsibility for security up to the hypervisor, meaning they can only address security controls such as physical security, environmental security, and virtualization security. The consumer, in turn, is responsible for security controls that relate to the IT system (instance) including the operating system, applications, and data.
The inverse is true for Salesforce.com’s CRM SaaS offering. Because the entire “stack” is provided by Salesforce.com, the provider is not only responsible for the physical and environmental security controls, but it must also address the security controls on the infrastructure, the applications, and the data.
Cloud Security Alliance Recommendations
Assessment of third-party cloud service providers should specifically target the provider’s incident management, business continuity and disaster recovery policies, and processes and procedures; and should include review of co-location and back-up facilities.
This should include review of the provider’s internal assessments of conformance to its own policies and procedures, and assessment of the provider’s metrics to provide reasonable information regarding the performance and effectiveness of its controls in these areas.
The user’s business continuity and disaster recovery plan should include scenarios for loss of the provider’s services, and for the provider’s loss of third-party services and third-party-dependent capabilities. Testing of this part of the plan should be coordinated with the cloud provider.
The provider’s information security governance, risk management, and compliance structures and processes should also be comprehensively assessed:
- Request clear documentation on how the facility and services are assessed for risk and audited for control weaknesses, the frequency of assessments, and how control weaknesses are mitigated in a timely manner
- Require definition of what the provider considers critical service and information security success factors, key performance indicators, and how these are measured relative to IT Service and Information Security Management
- Review the provider’s legal, regulatory, industry, and contractual requirements capture, assessment, and communication processes for comprehensiveness
- Perform full contract or terms-of-use due diligence to determine roles, responsibilities, and accountability; ensure legal review, including an assessment of the enforceability of local contract provisions and laws in foreign or out-of-state jurisdictions
- Determine whether due diligence requirements encompass all material aspects of the cloud provider relationship, such as the provider’s financial condition, reputation (e.g., reference checks), controls, key personnel, disaster recovery plans and tests, insurance, communications capabilities, and use of subcontractors
Even if your application is now in the cloud, your security should still be grounded in fundamental risk management principles.