Uploaded bysllongo3
254 views

TierPoint White Paper_With all due diligence_2015

This white paper outlines critical due diligence practices for evaluating a cloud provider's security capabilities in today's cloud environment, emphasizing the need for comprehensive verification of infrastructure, certifications, provider's own diligence, and data protection measures. It highlights that many businesses fail to assess cloud services adequately, increasing their vulnerability to security threats. The document provides essential insights into assessing cloud providers beyond mere compliance to ensure data safety and reliability.

Embed presentation

Download to read offline
www.tierpoint.com WHITE PAPER This paper serves as a guide to investigating and understanding a prospective cloud provider’s true security capabilities in a modern cloud environment. With All Due Diligence
2www.tierpoint.com WHITE PAPERWith All Due Dilgence Table of Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Four Cornerstones ofYour Due Diligence .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1: Verify Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2: Verify Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3: Verify the Provider’s Own Due Diligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4: Verify Data Protection.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion and Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1www.tierpoint.com WHITE PAPERWith All Due Dilgence Executive Summary Do you hand over your company’s data to your cloud services provider without making sure they are fully capable of protecting it? The Ponemon Institute has found that only 43% of businesses utilizing cloud services actually “audit or assess cloud computing resources before deployment.”i That is a big problem, according to the Cloud Security Alliance: they say that the failure of organizations to conduct due diligence on their cloud vendors is one of the top cloud computing threats, in part because customers tend to underestimate the danger of performing insufficient due diligence (see Figure 1). ii And the issue is only becoming more and more prevalent, given the growth of cloud computing in the modern marketplace: over half of American companies are using cloud computing systems,iii with expenditures on cloud services likely surpassing $180 billion by 2015iv . It’s time to take due diligence and give it its due; it’s no longer enough to simply ask for a list of compliance certifications.The need for sophisticated due diligence has grown exponentially just within the past couple of years. But how do you determine which cloud providers can deliver on their promises, and which cloud offerings are just smoke and mirrors? This paper will help you understand, clearly and concisely, what due diligence should mean to you in the modern cloud environment.We’ll walk through the kinds of information you need to unearth – including the subtle, non-obvious questions – to be sure your prospective cloud provider isn’t merely compliant but truly secure and reliable. Risk Relevance Rank Figure 1. Source: Cloud Security Alliance Cloud Provider Due Diligence At A Glancev
WHITE PAPERWith All Due Dilgence 2www.tierpoint.com The Four Cornerstones of Your Due Diligence Cornerstone #1: Verify Infrastructure Make sure that the provider’s cloud hardware and infrastructure is based on a standardized set of equipment. The equipment for all of their cloud infrastructure – including multiple data centers, multiple physical servers and multiple storage area networks – should be both standardized and enterprise-class. Why? The cloud – your cloud – lives on that infrastructure. Good cloud providers will put their infrastructure through as much due diligence as the cloud itself (we’ll cover this point more in Cornerstone 3). This issue is foundational – that is, it’s literally the foundation upon which your cloud will rest. Make sure it’s robust enough to shoulder the weight. There are four key elements to infrastructure: facilities, hardware, core connectivity and delivery.TierPoint’sVice President of Technical Services, Brian Bean explains, “Infrastructure is a broad and often misunderstood term. It means hardware first and foremost, but it’s also talking about how that hardware is architected, assembled and used. It immediately implies questions most customers don’t even think about:Will every piece of equipment work with other pieces of equipment in the environment?” That can become a major issue during failover [disaster recovery] protocols. Is the cloud provider locked into particular vendors? Too much reliance on a single vendor can impact performance and present budgetary concerns. InsiderTip: “My number one piece of advice would be to make sure that their cloud hardware and infrastructure is based on a standardized set of equipment.” - Denoid Tucker, Chief Technology Officer, TierPoint
WHITE PAPERWith All Due Dilgence 3www.tierpoint.com For example, a patchwork quilt of technologies and components raises costs by requiring multiple sets of adapters, cables and switches. Ideally, hardware resources should be uniform (for ease and cost effectiveness), physically distributed (for security and business continuity planning) and centrally managed (for responsiveness). Security should be architected into the infrastructural planning rather than tacked on, or worse, using security protocols designed for an environment different than the one used for your data. From the micro to the macro, infrastructure also encompasses the environment’s total physical and logical security. In other words, have the cloud provider’s data centers as a whole been secured against both physical and virtual intrusion using best-in-class protocols, design and physical equipment/layout? Indeed, the implications of how well (or poorly) infrastructural components are chosen and implemented ripple outward into every other aspect of the cloud provider’s operations, including performance and risk.According to the International Working Group on Cloud Computing Resiliency (IWGCR), the average downtime for a cloud provider is 7.5 hours per year. Infrastructure is a major component of whether your provider will beat the average or not. Similarly, security risks can be traced back to infrastructure. Questions ranging from “who can access my data?” to “what happens if servers fail – will we lose data?” depend on the quality and consistency of the provider’s infrastructure. Thankfully, the industry has established some pretty clear metrics here, and many guides will indicate specific elements of infrastructure you should investigate (we’ll point you toward a couple later in this paper). Plus, you have another avenue for verifying infrastructural integrity: certifications. We’ll cover those next.
WHITE PAPERWith All Due Dilgence 4www.tierpoint.com Cornerstone #2: Verify Certifications Nearly three-quarters (72%) of companies told researchers at the Ponemon Institute that they are unsure, disagree or strongly disagree that their cloud providers are “in full compliance with privacy and data protection regulations and laws.”vi That’s shocking because certifications are just about the simplest thing to verify. In fact, savvy business IT leaders, especially larger enterprises, don’t necessarily see certifications as all that interesting.Their response to seeing those certs? “Of course you have that; you have to have that layer of certification. Otherwise, I wouldn’t even be talking to you.” They recognize that certifications establish that a provider meets minimum thresholds established by law. But as we all know, the law sometimes struggles to keep up with cutting-edge trends in technology. So the certification is the beginning of the conversation, not its end. In other words, there’s more to this step than meets the eye, much more than just crossing line-items off a checklist.A cloud provider’s certifications can give you a lot of valuable secondary information, allowing you to triangulate the cloud provider’s capacity to meet your needs. First, certs highlight industries served. While the “alphabet soup” of compliance regulations (HIPAA, PCI, SOX, GLB, SOC, ISO, FedRAMP…) is quite diverse, certification generally means that an independent accrediting organization has done its own form of (narrowly focused) due diligence on the cloud provider. Compliance indicates at least minimally satisfactory performance metrics and security safeguards that are in line with industry standards and applicable laws. For instance: if the cloud provider is PCI DSS compliant, you know it adheres to the proprietary information security standard for organizations that handle branded credit cards. If it is HIPAA compliant, you know it adheres to the policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. Other specific certifications will vary according to customer needs and circumstances. But in all cases your goal during due diligence is two-fold: first, to understand whether the cloud service provider adheres to industry standards for security; and second, to understand their data center operational efficiencies. For example, SSAE 16 certification assesses the internal controls of a service organization; SSAE 16 Type 1 substantiates the suitability of the controls, while Type 2 attests to their operational effectiveness. InsiderTip “I would advise looking at the layers of certification that the company has, and figure out why they have those particular certification layers.” - Paul Mazzucco, Chief Security Officer, TierPoint
WHITE PAPERWith All Due Dilgence 5www.tierpoint.com Secondly, certs tell you what kinds of clients have already done due diligence on the provider. For instance, if a cloud provider has obtained PCI accreditation, obviously that means they have clients working in the financial sector. In that case, according to TierPoint’s CSO Paul Mazzucco: “It’s important to check the number of financial services clients the cloud provider is supporting. Is it three clients or 20? PCI accreditation tells you they meet the letter of the law, while the depth of their financial services client base tells you how many other major players performed the same due diligence and are comfortable enough with their discovery to have chosen that cloud provider.” In other words, you’re not the first company to do due diligence on them. Third, they offer you a starting point to ask how the provider stays truly secure, not just compliant. Finally, a smart client will use the certs as a starting point for the security conversation.“Okay, so you’re certified. Now show me all the other things that are going to make me sleep well at night. Prove to me that you test all these processes and procedures.” Using the financial services industry example, look beyond PCI accreditation. Ask the cloud provider about their knowledge of data retention and encryption. Examine their processes and procedures. Demand proof that security protocols are in place and that they were implemented correctly and tested against industry best practices. In other words, ask what due diligence the provider has done on itself.
WHITE PAPERWith All Due Dilgence 6www.tierpoint.com Cornerstone #3: Verify the Provider’s Own Due Diligence Unplanned downtime can cause serious financial consequences for any business. A December 2013 Ponemon Institute study quantified the cost of an unplanned data center outage at $7,900/minute, up 41% from 2010.vii Your cloud provider should be doing its own due diligence to ensure its equipment, networks and protocols actually work through a broad spectrum of scenarios both ordinary and catastrophic. According to TierPoint CTO Denoid Tucker: “Our xCloud infrastructure goes through as much due diligence as the cloud itself. People early on weren’t asking,‘What happens if a major weather event in Hawthorne, NYcauses a disruption? Where does my data go because you’re my cloud provider?’ But today they are asking those questions, and we have to show them new layers of due diligence to prove that we have an Incident Response Plan (IRP) in place along with the processes and procedures to implement it. In other words, we know what to do if something happens in any one of our data centers; we can show where the client fits into the plan; and, perhaps most importantly, we can provide evidence that our procedures have been tested and proven to work.” Does the cloud provider know how to fail successfully? Any given risk to the provider’s infrastructure might be low, but it’s never zero, and any provider that offers enterprise-class services must make arrangements for resources beyond just a single data center. For instance, in the case of extreme weather, such as Hurricane Sandy, it’s critical that your cloud provider has redundancy and capacity built in.You do not want to do business with a provider that does not plan for growth while maintaining their stated levels of high-availability. Due diligence is about eliminating as much risk as possible; ensure that a provider’s growth will not create a high-risk situation for your critical business workloads. One of the best ways to do this is to make sure your workloads are distributed across multiple, highly resilient facilities.That requires the cloud provider to have developed its own contingency plan to deal with unforeseen disasters or performance issues; so ask them to map out those DR and BC plans for you. InsiderTip “I would want to see and understand the third-party due diligence the provider has obtained.” - Denoid Tucker, CTO,TierPoint
WHITE PAPERWith All Due Dilgence 7www.tierpoint.com Consider public cloud giant Amazon: when they suffered a major outage at their NorthernVirginia data center in 2012, it hit customers hard; but those that had adopted a cloud model involving multiple data centers across availability zones (AZ) suffered little or no ill effects.viii, ix One major caveat: most of those Amazon customers had to specially set up service in multiple data centers.Those who did not lost their service until the NorthernVirginia location was restored.Which is why even Amazon’s own CTO WernerVogels preaches that IaaS cloud users should prepare for failure: opting not to pay for redundancy, for example, may be “penny wise” for ordinary usage but can prove to be “pound foolish” during catastrophic outages. Is your cloud provider’s people smart? Another area of internal due diligence that often gets overlooked by customers: staffing. Not only are you investing in a provider’s technology, you are depending on the quality of their people too. Do you trust them with your job? Background checks may be overkill, unless the cloud provider will be working with government agencies; however, it is advisable to ask about, for example, internal protocols for managing employee access to customer data, or what technical certifications are required by the cloud provider for the engineers building and maintaining your cloud. Altogether, if the cloud provider hasn’t done due diligence on itself, it cannot verify it can meet your needs even in extreme circumstances … and that means it can’t guarantee the safety of your data.
8www.tierpoint.com WHITE PAPERWith All Due Dilgence Cornerstone #4: Verify Data Protection Data loss is a serious threat for cloud customers.We would argue that all of the other due diligence verifications we’ve discussed (infrastructure, certs, etc.) lead to this one, because ultimately it’s about keeping your systems, your apps and, above all else, your data safe. And that’s not a trivial task. One 2014 survey found that a staggering 43% of companies had a data breach in the past yearx and 45% of businesses have had data lost within the past 12 months, 11% of whom were required to disclose the loss publicly. xi With some 800 million records lost in 2013 alone, data breaches, theft and loss are serious business. Not to mention expensive: the Ponemon’s Institute’s “2014 Cost of Data Breach Study: United States” found it costs businesses $201 per record lost, a $9 increase from the previous year. xii (It should be noted the Ponemon study also found that data loss is actually less costly “when the organization’s use of IaaS or cloud infrastructure increases.”) Once upon a time, protecting the perimeter was enough. Today that’s a fairy tale. Securing against data breaches and data loss means something very different than it did even just a couple of years ago, and focusing security efforts on the perimeter is insufficient. Just ask Target, JPMorgan Chase, eBay or Home Depot. In fact, since the Target breach, there has been a major data breach discovered almost every month. xiii Tom Kellermann, the chief cybersecurity officer at IT security firm Trend Micro, told the Washington Post in the aftermath of the Home Depot mega-hack (in which some 56 million credit card numbers were compromised),“Current standards of security for these large organizations are very perimeter-focused and don’t deal with the level of attacks that are going on in the market.” xiv Today, protecting against breaches means continuously monitoring the entire network and its activity for any and all anomalies.Ask your cloud provider how they adapt internal security controls and processes to identify and meet the security impact of technological changes.Then, in turn, are those changes documented and proven via the cloud provider’s own due diligence? InsiderTip “Look for the ability to secure your business against data breaches by being able to monitor the data flow and know when there’s any sort of intrusion into your network.” - Paul Mazzucco, Chief Security Officer, TierPoint
9www.tierpoint.com WHITE PAPERWith All Due Dilgence The risks are evolving faster than the speed of business. This is all because threats have evolved significantly.As TechCrunch reports, “As organizations have bolstered their security, hackers also evolved. Attacks today are more sophisticated and targeted than ever before. Rather than sending generic malware, hackers today carefully plot each and every attack, using unique,“zero-day” exploits that render signature-based protections nearly useless.”xv These new threats require a new kind of proactive,adaptive monitoring that are difficult to implement.In fact,this may be part of the reason why you’re even considering a cloud provider in the first place;since cloud security is part of their core service,they make major investments in it - a level of investment that companies whose core business lies elsewhere might not be able or willing to make - including beyond adequate levels of encryption and key management, hardware and smoke control to protect against denial of service,stringent background checks and employee training to protect against malicious insiders,etc.
10www.tierpoint.com WHITE PAPERWith All Due Dilgence Conclusion and Recommendations Due diligence is no longer simply a checklist.Your cloud provider is one of the most strategic business partners that you can have, and you cannot go into such a key business relationship without verifying that they can deliver on the promise of ever-evolving cloud services. Just as security has moved from relatively straight-forward malware signature detection to adaptively and proactively seeking out anomalous behavior, due diligence is a painstaking process of searching out the anomalies and gaps in your current or prospective cloud provider’s offerings. In fact, due diligence may just be the single most important step you can take to effectively mitigate the risk of hosting your company’s data, applications and operating environments in the cloud.To ensure you perform due diligence equal to modern requirements, we recommend the following actions: 1. Visit the provider’s data center facilities. If they don’t permit customer visits, that should be an immediate red flag. Business customers should be able to see the facilities, equipment and people that will be hosting and protecting their valuable data. 2. Request and follow up with references. Ask to see the certifications alongside a client list that demonstrates diversity in the client base.Ask why those clients chose that provider over what other competitors were offering. 3. View compliance certificates; in the case of SSAE 16, also view the Statements of Applicability. Not only can these documents provide evidence of the certs, they can also shed light on specific security controls and operational controls. 4. Require evidence. Don’t be afraid to ask for evidence of security or performance claims; take nothing at face value.A professional cloud provider will be happy to demonstrate what they’re doing to be really secure, not just compliant. Further, continue to ask for evidence on demand as needed: access logs, data flow of firewalls, etc. 5. Take advantage of professional resources to help guide your due diligence. In particular, the Cloud Security Alliance has put together a comprehensive and detailed guide that we recommend. For instance the CSA’s Cloud Controls Matrix contains 269 standards covering every aspect of cloud security implementation, operation and maintenance. 6. Test it yourself. Order your own independent penetration tests.You may have to pay for it, but it’s a worthwhile investment: choosing a provider wisely will return dividends over the years.
WHITE PAPERWith All Due Dilgence 11www.tierpoint.com References i. (2013, Mar). Security of Cloud Computing Users Survey.The Ponemon Institute. Retrieved November 17, 2014, from http://www.ca.com/kr/~/media/Files/IndustryAnalystReports/2012- security-of-cloud-computer-users-final1.pdf ii. (2013, Feb).The Notorious Nine: Cloud Computing Top Threats in 2013.The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/ initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf iii. Young, M. (2013,Aug). 5 Benefits of BYOD with Cloud Computing. CloudTweaks. Retrieved October 1, 2014, from http://cloudtweaks.com/2013/08/article-title-5-benefits-of-byod-with- cloud-computing/ iv. McCue,T. (2014, Jan 29). Cloud computing: United States businesses will spend $13 billion on it. Forbes. Retrieved October 5, 2014, from http://www.forbes.com/sites/tjmccue/2014/01/29/ cloud-computing-united-states-businesses-will-spend-13-billion-on-it/ v. (2013, Feb).The Notorious Nine: Cloud Computing Top Threats in 2013.The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/ initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf vi. (2014, Sep). Data Breach:The Cloud Multiplier Effect in European Countries. Ponemon Institute. Retrieved October 5, 2014, from http://www.netskope.com/wp-content/ uploads/2014/09/Netskope-EU-consolidated-Research-Report-FINAL.pdf vii. Ponemon Institute. (2013, December).The Lowdown on Data Center Downtime: Frequency, Root Causes and Costs. Emerson Network Power. Retrieved August 22, 2014, from http://www.emersonnetworkpower.com/en-US/Solutions/ByApplication/ DataCenterNetworking/Data-Center-Insights/Pages/Causes_of_Downtime_Study.aspx viii. Adler, Brian. (2013, January 4).AWS Outage Lessons Learned: If Netflix Can Suffer, So Can You. Right Scale. Retrieved August 14, 2014, from http://www.rightscale.com/blog/cloud- management-best-practices/aws-outage-lessons-learned-if-netflix-can-suffer-so-can-you ix. Pryor, D. (2013, Jun 4).Ten vital questions to ask your cloud provider. HighQ. Retrieved October 1, 2014, from http://highq.com/blog/ten-vital-questions-to-ask-your-cloud-provider x. Wise, E. (2014, Sep 24). 43% of companies had a data breach in the past year. USATODAY. Retrieved November 3, 2014, from http://www.usatoday.com/story/tech/2014/09/24/data- breach-companies-60/16106197/ xi. Finneran, M. (2013, Dec 4). How mobile security lags BYOD. Darkreading. Retrieved October 1, 2014, from http://www.darkreading.com/mobile-security/how-mobile-security-lags-byod/d/ d-id/1112902 xii. Messmer, E. (2014, May 5). Data breaches 9% more costly in 2013 than year before. Network World. Retrieved October 3, 2014, from http://www.networkworld.com/article/2176589/ malware-cybercrime/data-breaches-9--more-costly-in-2013-than-year-before.html xiii. (2014, June 19). 5 Data Breach Statistics Worth Knowing. Paymetric Blog. Retrieved November 3, 2014, from http://www.paymetric.com/uncategorized/5-data-breach-statistics- worth-knowing xiv. Halzack, S. and Peterson,A. (2014, Sep 9). Home Depot breach reveals how challenging it is to ward off data theft.The Washington Post. Retrieved September 15, 2014, from http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/09/home-depot-breach- reveals-how-challenging-it-is-to-ward-off-data-theft/ xv. Eshel, P; Moore, B; Shalev, S. (2014, Sep 6).Why Breach Detection IsYour New Must-Have, Cyber Security Tool TechCrunch. Retrieved October 1, 2014, from http://techcrunch. com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/
AboutTierPoint TierPoint is a leading national provider of cloud, colocation, managed services and disaster recovery solutions designed to help organizations improve business performance and manage risk. With corporate headquarters in St. Louis, Mo., TierPoint operates 13 highly-redundant,Tier III plus data centers in the states of Washington,Texas, Oklahoma, Pennsylvania, Maryland, NewYork, Massachusetts and Connecticut. To find out how TierPoint can help you with your cloud, colocation, managed services and disaster recovery initiatives — call 877.859.TIER (8437), email sales@tierpoint.com, or visit us at www.tierpoint.com. TierPoint 520 Maryville Centre Dr. St. Louis, MO 63141 www.tierpoint.com © 2015 TierPoint, LLC.All Rights Reserved.

More Related Content

PDF
10-TOP-IT-INITIATIVES_6-6-16
byPeak 10
 
DOC
"Compliance First" or "Security First"
byAnton Chuvakin
 
PDF
The cost of downtime
byBillyHosking
 
PDF
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
byIRJET Journal
 
PDF
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
byUlf Mattsson
 
PDF
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
byIRJET Journal
 
PDF
Cloud Computing
bysahil lalwani
 
PDF
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
byIRJET Journal
 
10-TOP-IT-INITIATIVES_6-6-16
byPeak 10
 
"Compliance First" or "Security First"
byAnton Chuvakin
 
The cost of downtime
byBillyHosking
 
Privacy Preserving in Authentication Protocol for Shared Authority Based Clou...
byIRJET Journal
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
byUlf Mattsson
 
IRJET- Proficient Public Substantiation of Data Veracity for Cloud Storage th...
byIRJET Journal
 
Cloud Computing
bysahil lalwani
 
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
byIRJET Journal
 

What's hot

PDF
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
byDana Gardner
 
PDF
DLP Executive Overview
byKim Jensen
 
PDF
security_secure_pipes_frost_whitepaper
byAlan Rudd
 
PDF
Cloud Computing Security
byArunvignesh Venkatesh
 
PPT
Shariyaz abdeen data leakage prevention presentation
byShariyaz Abdeen
 
PDF
5 Ways to Stay #CyberSecure
byMedia Sonar
 
PDF
50120140507005 2
byIAEME Publication
 
PDF
Comparing cloud-computing-providers-11-factors-to-consider-profit bricks-ebook
byProfitBricks
 
DOCX
Cloud Computing Adoption and the Impact of Information Security
byBelinda Edwards
 
PDF
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
byIRJET Journal
 
PDF
Employment Feedback by Securing Data using Anonymous Authentication
byIRJET Journal
 
PDF
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
byMighty Guides, Inc.
 
PDF
Whitepaper: Security of the Cloud
byCloudSmartz
 
PDF
Security of the Cloud
byEpoch Universal, Inc.
 
PDF
V mware sddc-micro-segmentation-white-paper
byEMC
 
PDF
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
byijccsa
 
PDF
Your Data Center Boundaries Don’t Exist Anymore!
byEMC
 
PDF
Survey on Security in Cloud Hosted Service & Self Hosted Services
byijtsrd
 
PDF
Cryptographic Countermeasure Against Prevention Of Dos and Distributed DOS A...
byIRJET Journal
 
How Unisys and Dell EMC Together Head Off Backup Storage Cyber Security Vulne...
byDana Gardner
 
DLP Executive Overview
byKim Jensen
 
security_secure_pipes_frost_whitepaper
byAlan Rudd
 
Cloud Computing Security
byArunvignesh Venkatesh
 
Shariyaz abdeen data leakage prevention presentation
byShariyaz Abdeen
 
5 Ways to Stay #CyberSecure
byMedia Sonar
 
50120140507005 2
byIAEME Publication
 
Comparing cloud-computing-providers-11-factors-to-consider-profit bricks-ebook
byProfitBricks
 
Cloud Computing Adoption and the Impact of Information Security
byBelinda Edwards
 
Proxy-Oriented Data Uploading & Monitoring Remote Data Integrity in Public Cloud
byIRJET Journal
 
Employment Feedback by Securing Data using Anonymous Authentication
byIRJET Journal
 
Carbon Black: Moving to a Cloud Based Next Generation Platform for Endpoint S...
byMighty Guides, Inc.
 
Whitepaper: Security of the Cloud
byCloudSmartz
 
Security of the Cloud
byEpoch Universal, Inc.
 
V mware sddc-micro-segmentation-white-paper
byEMC
 
SecSecuring Software as a Service Model of Cloud Computing: Issues and Solutions
byijccsa
 
Your Data Center Boundaries Don’t Exist Anymore!
byEMC
 
Survey on Security in Cloud Hosted Service & Self Hosted Services
byijtsrd
 
Cryptographic Countermeasure Against Prevention Of Dos and Distributed DOS A...
byIRJET Journal
 

Viewers also liked

DOCX
Avance academico g5 verdad
byJesseniaMasabanda
 
PDF
Shout your silly worry contest
byOnodera Masato
 
PDF
แผนการจัดการเรียนรู้ กลุ่มสาระสังคมศึกษา ศาสนาและวัฒนธรรมท้องถิ่นไทดำ
byMine Pantip
 
PDF
Introductory manual for the open source meshing code SALOME
byFilippos Kalofotias
 
PDF
0620 s16 qp_23
byOmniya Jay
 
PDF
Social media strategy
byAnna Dosev
 
PDF
Persona & Scenarios for Baidu Cloud - By Vanbin Fan 2012.12.25
byVanbin Fan, JWMI MBA
 
PPTX
use of camera
byaamina24
 
PDF
Young Cannes Lions_3_2017_Client presentation
byAnna Shutova
 
PDF
Resourcing the US 2030 Cyber Strategy
byScott Dickson
 
Avance academico g5 verdad
byJesseniaMasabanda
 
Shout your silly worry contest
byOnodera Masato
 
แผนการจัดการเรียนรู้ กลุ่มสาระสังคมศึกษา ศาสนาและวัฒนธรรมท้องถิ่นไทดำ
byMine Pantip
 
Introductory manual for the open source meshing code SALOME
byFilippos Kalofotias
 
0620 s16 qp_23
byOmniya Jay
 
Social media strategy
byAnna Dosev
 
Persona & Scenarios for Baidu Cloud - By Vanbin Fan 2012.12.25
byVanbin Fan, JWMI MBA
 
use of camera
byaamina24
 
Young Cannes Lions_3_2017_Client presentation
byAnna Shutova
 
Resourcing the US 2030 Cyber Strategy
byScott Dickson
 

Similar to TierPoint White Paper_With all due diligence_2015

PPT
Cloud Computing Security Issues
byDiscover Cloud Computing
 
PDF
Strategies for assessing cloud security
byArun Gopinath
 
PDF
Strategies for assessing cloud security
byIBM India Smarter Computing
 
PDF
Ast 0064255 strategies-for_assessing_cloud_security
byAccenture
 
PDF
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
PPTX
Building and Operating Clouds
byBMC Software
 
PDF
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
PDF
Cloud Clinique Enterprise IT Certification Program - Module Matrix
byAdrian Hall
 
PDF
navigating the cloud key considerations for cloud computing solutions.pdf
bybasilmph
 
PDF
The Digital Imperative Why Cloud Audits Are Crucial in 2025.pdf
byKanika Vatsyayan
 
PPTX
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
byPositive Hack Days
 
PDF
How Secure Is Cloud
byWilliam Lam
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
PPTX
Cloud Cmputing Security
byDevyani Vaidya
 
PPTX
Cloud computing Risk management
byPadma Jella
 
PPTX
IASA eSummit Nov 15 - signposts for security investment in a cloud world
byWayne Anderson
 
PPTX
Moving Enterprise Applications to the Cloud
byVISI
 
PDF
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
PDF
10 questions to ask your cloud provider
byHighQ
 
PPTX
Cloud Computing dominated by AI in modern world
byDhruvPatel79152
 
Cloud Computing Security Issues
byDiscover Cloud Computing
 
Strategies for assessing cloud security
byArun Gopinath
 
Strategies for assessing cloud security
byIBM India Smarter Computing
 
Ast 0064255 strategies-for_assessing_cloud_security
byAccenture
 
Cloud Security: Perception VS Reality
byKVH Co. Ltd.
 
Building and Operating Clouds
byBMC Software
 
Security Considerations When Using Cloud Infrastructure Services.pdf
byCiente
 
Cloud Clinique Enterprise IT Certification Program - Module Matrix
byAdrian Hall
 
navigating the cloud key considerations for cloud computing solutions.pdf
bybasilmph
 
The Digital Imperative Why Cloud Audits Are Crucial in 2025.pdf
byKanika Vatsyayan
 
Positive Hack Days. Christopher Gould. Head in the Clouds…Can we overcome sec...
byPositive Hack Days
 
How Secure Is Cloud
byWilliam Lam
 
Isaca cloud security presentation duncan unwin 16 jul13
byDuncan Unwin
 
Cloud Cmputing Security
byDevyani Vaidya
 
Cloud computing Risk management
byPadma Jella
 
IASA eSummit Nov 15 - signposts for security investment in a cloud world
byWayne Anderson
 
Moving Enterprise Applications to the Cloud
byVISI
 
Resetting Your Security Thinking for the Public Cloud
byMighty Guides, Inc.
 
10 questions to ask your cloud provider
byHighQ
 
Cloud Computing dominated by AI in modern world
byDhruvPatel79152
 

Recently uploaded

PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PPTX
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
MathML Core in WebKit
byIgalia
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Configure and Secure SSH - RHCSA (RH124).pdf
byLinuxCert Guru
 
WebXR in Android and Linux with OpenXR
byIgalia
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
Expanding Your Toolbox: Beginners Guide to Controlling Kubernetes Logs
byEric D. Schabell
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Catalog Data - Keys to the Kingdom.pdf‎ ‎
byPrecisely
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
MathML Core in WebKit
byIgalia
 

TierPoint White Paper_With all due diligence_2015

  • 1.
    www.tierpoint.com WHITE PAPER This paperserves as a guide to investigating and understanding a prospective cloud provider’s true security capabilities in a modern cloud environment. With All Due Diligence
  • 2.
    2www.tierpoint.com WHITE PAPERWith AllDue Dilgence Table of Contents Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Four Cornerstones ofYour Due Diligence .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1: Verify Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 2: Verify Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3: Verify the Provider’s Own Due Diligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4: Verify Data Protection.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion and Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
  • 3.
    1www.tierpoint.com WHITE PAPERWith AllDue Dilgence Executive Summary Do you hand over your company’s data to your cloud services provider without making sure they are fully capable of protecting it? The Ponemon Institute has found that only 43% of businesses utilizing cloud services actually “audit or assess cloud computing resources before deployment.”i That is a big problem, according to the Cloud Security Alliance: they say that the failure of organizations to conduct due diligence on their cloud vendors is one of the top cloud computing threats, in part because customers tend to underestimate the danger of performing insufficient due diligence (see Figure 1). ii And the issue is only becoming more and more prevalent, given the growth of cloud computing in the modern marketplace: over half of American companies are using cloud computing systems,iii with expenditures on cloud services likely surpassing $180 billion by 2015iv . It’s time to take due diligence and give it its due; it’s no longer enough to simply ask for a list of compliance certifications.The need for sophisticated due diligence has grown exponentially just within the past couple of years. But how do you determine which cloud providers can deliver on their promises, and which cloud offerings are just smoke and mirrors? This paper will help you understand, clearly and concisely, what due diligence should mean to you in the modern cloud environment.We’ll walk through the kinds of information you need to unearth – including the subtle, non-obvious questions – to be sure your prospective cloud provider isn’t merely compliant but truly secure and reliable. Risk Relevance Rank Figure 1. Source: Cloud Security Alliance Cloud Provider Due Diligence At A Glancev
  • 4.
    WHITE PAPERWith AllDue Dilgence 2www.tierpoint.com The Four Cornerstones of Your Due Diligence Cornerstone #1: Verify Infrastructure Make sure that the provider’s cloud hardware and infrastructure is based on a standardized set of equipment. The equipment for all of their cloud infrastructure – including multiple data centers, multiple physical servers and multiple storage area networks – should be both standardized and enterprise-class. Why? The cloud – your cloud – lives on that infrastructure. Good cloud providers will put their infrastructure through as much due diligence as the cloud itself (we’ll cover this point more in Cornerstone 3). This issue is foundational – that is, it’s literally the foundation upon which your cloud will rest. Make sure it’s robust enough to shoulder the weight. There are four key elements to infrastructure: facilities, hardware, core connectivity and delivery.TierPoint’sVice President of Technical Services, Brian Bean explains, “Infrastructure is a broad and often misunderstood term. It means hardware first and foremost, but it’s also talking about how that hardware is architected, assembled and used. It immediately implies questions most customers don’t even think about:Will every piece of equipment work with other pieces of equipment in the environment?” That can become a major issue during failover [disaster recovery] protocols. Is the cloud provider locked into particular vendors? Too much reliance on a single vendor can impact performance and present budgetary concerns. InsiderTip: “My number one piece of advice would be to make sure that their cloud hardware and infrastructure is based on a standardized set of equipment.” - Denoid Tucker, Chief Technology Officer, TierPoint
  • 5.
    WHITE PAPERWith AllDue Dilgence 3www.tierpoint.com For example, a patchwork quilt of technologies and components raises costs by requiring multiple sets of adapters, cables and switches. Ideally, hardware resources should be uniform (for ease and cost effectiveness), physically distributed (for security and business continuity planning) and centrally managed (for responsiveness). Security should be architected into the infrastructural planning rather than tacked on, or worse, using security protocols designed for an environment different than the one used for your data. From the micro to the macro, infrastructure also encompasses the environment’s total physical and logical security. In other words, have the cloud provider’s data centers as a whole been secured against both physical and virtual intrusion using best-in-class protocols, design and physical equipment/layout? Indeed, the implications of how well (or poorly) infrastructural components are chosen and implemented ripple outward into every other aspect of the cloud provider’s operations, including performance and risk.According to the International Working Group on Cloud Computing Resiliency (IWGCR), the average downtime for a cloud provider is 7.5 hours per year. Infrastructure is a major component of whether your provider will beat the average or not. Similarly, security risks can be traced back to infrastructure. Questions ranging from “who can access my data?” to “what happens if servers fail – will we lose data?” depend on the quality and consistency of the provider’s infrastructure. Thankfully, the industry has established some pretty clear metrics here, and many guides will indicate specific elements of infrastructure you should investigate (we’ll point you toward a couple later in this paper). Plus, you have another avenue for verifying infrastructural integrity: certifications. We’ll cover those next.
  • 6.
    WHITE PAPERWith AllDue Dilgence 4www.tierpoint.com Cornerstone #2: Verify Certifications Nearly three-quarters (72%) of companies told researchers at the Ponemon Institute that they are unsure, disagree or strongly disagree that their cloud providers are “in full compliance with privacy and data protection regulations and laws.”vi That’s shocking because certifications are just about the simplest thing to verify. In fact, savvy business IT leaders, especially larger enterprises, don’t necessarily see certifications as all that interesting.Their response to seeing those certs? “Of course you have that; you have to have that layer of certification. Otherwise, I wouldn’t even be talking to you.” They recognize that certifications establish that a provider meets minimum thresholds established by law. But as we all know, the law sometimes struggles to keep up with cutting-edge trends in technology. So the certification is the beginning of the conversation, not its end. In other words, there’s more to this step than meets the eye, much more than just crossing line-items off a checklist.A cloud provider’s certifications can give you a lot of valuable secondary information, allowing you to triangulate the cloud provider’s capacity to meet your needs. First, certs highlight industries served. While the “alphabet soup” of compliance regulations (HIPAA, PCI, SOX, GLB, SOC, ISO, FedRAMP…) is quite diverse, certification generally means that an independent accrediting organization has done its own form of (narrowly focused) due diligence on the cloud provider. Compliance indicates at least minimally satisfactory performance metrics and security safeguards that are in line with industry standards and applicable laws. For instance: if the cloud provider is PCI DSS compliant, you know it adheres to the proprietary information security standard for organizations that handle branded credit cards. If it is HIPAA compliant, you know it adheres to the policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information. Other specific certifications will vary according to customer needs and circumstances. But in all cases your goal during due diligence is two-fold: first, to understand whether the cloud service provider adheres to industry standards for security; and second, to understand their data center operational efficiencies. For example, SSAE 16 certification assesses the internal controls of a service organization; SSAE 16 Type 1 substantiates the suitability of the controls, while Type 2 attests to their operational effectiveness. InsiderTip “I would advise looking at the layers of certification that the company has, and figure out why they have those particular certification layers.” - Paul Mazzucco, Chief Security Officer, TierPoint
  • 7.
    WHITE PAPERWith AllDue Dilgence 5www.tierpoint.com Secondly, certs tell you what kinds of clients have already done due diligence on the provider. For instance, if a cloud provider has obtained PCI accreditation, obviously that means they have clients working in the financial sector. In that case, according to TierPoint’s CSO Paul Mazzucco: “It’s important to check the number of financial services clients the cloud provider is supporting. Is it three clients or 20? PCI accreditation tells you they meet the letter of the law, while the depth of their financial services client base tells you how many other major players performed the same due diligence and are comfortable enough with their discovery to have chosen that cloud provider.” In other words, you’re not the first company to do due diligence on them. Third, they offer you a starting point to ask how the provider stays truly secure, not just compliant. Finally, a smart client will use the certs as a starting point for the security conversation.“Okay, so you’re certified. Now show me all the other things that are going to make me sleep well at night. Prove to me that you test all these processes and procedures.” Using the financial services industry example, look beyond PCI accreditation. Ask the cloud provider about their knowledge of data retention and encryption. Examine their processes and procedures. Demand proof that security protocols are in place and that they were implemented correctly and tested against industry best practices. In other words, ask what due diligence the provider has done on itself.
  • 8.
    WHITE PAPERWith AllDue Dilgence 6www.tierpoint.com Cornerstone #3: Verify the Provider’s Own Due Diligence Unplanned downtime can cause serious financial consequences for any business. A December 2013 Ponemon Institute study quantified the cost of an unplanned data center outage at $7,900/minute, up 41% from 2010.vii Your cloud provider should be doing its own due diligence to ensure its equipment, networks and protocols actually work through a broad spectrum of scenarios both ordinary and catastrophic. According to TierPoint CTO Denoid Tucker: “Our xCloud infrastructure goes through as much due diligence as the cloud itself. People early on weren’t asking,‘What happens if a major weather event in Hawthorne, NYcauses a disruption? Where does my data go because you’re my cloud provider?’ But today they are asking those questions, and we have to show them new layers of due diligence to prove that we have an Incident Response Plan (IRP) in place along with the processes and procedures to implement it. In other words, we know what to do if something happens in any one of our data centers; we can show where the client fits into the plan; and, perhaps most importantly, we can provide evidence that our procedures have been tested and proven to work.” Does the cloud provider know how to fail successfully? Any given risk to the provider’s infrastructure might be low, but it’s never zero, and any provider that offers enterprise-class services must make arrangements for resources beyond just a single data center. For instance, in the case of extreme weather, such as Hurricane Sandy, it’s critical that your cloud provider has redundancy and capacity built in.You do not want to do business with a provider that does not plan for growth while maintaining their stated levels of high-availability. Due diligence is about eliminating as much risk as possible; ensure that a provider’s growth will not create a high-risk situation for your critical business workloads. One of the best ways to do this is to make sure your workloads are distributed across multiple, highly resilient facilities.That requires the cloud provider to have developed its own contingency plan to deal with unforeseen disasters or performance issues; so ask them to map out those DR and BC plans for you. InsiderTip “I would want to see and understand the third-party due diligence the provider has obtained.” - Denoid Tucker, CTO,TierPoint
  • 9.
    WHITE PAPERWith AllDue Dilgence 7www.tierpoint.com Consider public cloud giant Amazon: when they suffered a major outage at their NorthernVirginia data center in 2012, it hit customers hard; but those that had adopted a cloud model involving multiple data centers across availability zones (AZ) suffered little or no ill effects.viii, ix One major caveat: most of those Amazon customers had to specially set up service in multiple data centers.Those who did not lost their service until the NorthernVirginia location was restored.Which is why even Amazon’s own CTO WernerVogels preaches that IaaS cloud users should prepare for failure: opting not to pay for redundancy, for example, may be “penny wise” for ordinary usage but can prove to be “pound foolish” during catastrophic outages. Is your cloud provider’s people smart? Another area of internal due diligence that often gets overlooked by customers: staffing. Not only are you investing in a provider’s technology, you are depending on the quality of their people too. Do you trust them with your job? Background checks may be overkill, unless the cloud provider will be working with government agencies; however, it is advisable to ask about, for example, internal protocols for managing employee access to customer data, or what technical certifications are required by the cloud provider for the engineers building and maintaining your cloud. Altogether, if the cloud provider hasn’t done due diligence on itself, it cannot verify it can meet your needs even in extreme circumstances … and that means it can’t guarantee the safety of your data.
  • 10.
    8www.tierpoint.com WHITE PAPERWith AllDue Dilgence Cornerstone #4: Verify Data Protection Data loss is a serious threat for cloud customers.We would argue that all of the other due diligence verifications we’ve discussed (infrastructure, certs, etc.) lead to this one, because ultimately it’s about keeping your systems, your apps and, above all else, your data safe. And that’s not a trivial task. One 2014 survey found that a staggering 43% of companies had a data breach in the past yearx and 45% of businesses have had data lost within the past 12 months, 11% of whom were required to disclose the loss publicly. xi With some 800 million records lost in 2013 alone, data breaches, theft and loss are serious business. Not to mention expensive: the Ponemon’s Institute’s “2014 Cost of Data Breach Study: United States” found it costs businesses $201 per record lost, a $9 increase from the previous year. xii (It should be noted the Ponemon study also found that data loss is actually less costly “when the organization’s use of IaaS or cloud infrastructure increases.”) Once upon a time, protecting the perimeter was enough. Today that’s a fairy tale. Securing against data breaches and data loss means something very different than it did even just a couple of years ago, and focusing security efforts on the perimeter is insufficient. Just ask Target, JPMorgan Chase, eBay or Home Depot. In fact, since the Target breach, there has been a major data breach discovered almost every month. xiii Tom Kellermann, the chief cybersecurity officer at IT security firm Trend Micro, told the Washington Post in the aftermath of the Home Depot mega-hack (in which some 56 million credit card numbers were compromised),“Current standards of security for these large organizations are very perimeter-focused and don’t deal with the level of attacks that are going on in the market.” xiv Today, protecting against breaches means continuously monitoring the entire network and its activity for any and all anomalies.Ask your cloud provider how they adapt internal security controls and processes to identify and meet the security impact of technological changes.Then, in turn, are those changes documented and proven via the cloud provider’s own due diligence? InsiderTip “Look for the ability to secure your business against data breaches by being able to monitor the data flow and know when there’s any sort of intrusion into your network.” - Paul Mazzucco, Chief Security Officer, TierPoint
  • 11.
    9www.tierpoint.com WHITE PAPERWith AllDue Dilgence The risks are evolving faster than the speed of business. This is all because threats have evolved significantly.As TechCrunch reports, “As organizations have bolstered their security, hackers also evolved. Attacks today are more sophisticated and targeted than ever before. Rather than sending generic malware, hackers today carefully plot each and every attack, using unique,“zero-day” exploits that render signature-based protections nearly useless.”xv These new threats require a new kind of proactive,adaptive monitoring that are difficult to implement.In fact,this may be part of the reason why you’re even considering a cloud provider in the first place;since cloud security is part of their core service,they make major investments in it - a level of investment that companies whose core business lies elsewhere might not be able or willing to make - including beyond adequate levels of encryption and key management, hardware and smoke control to protect against denial of service,stringent background checks and employee training to protect against malicious insiders,etc.
  • 12.
    10www.tierpoint.com WHITE PAPERWith AllDue Dilgence Conclusion and Recommendations Due diligence is no longer simply a checklist.Your cloud provider is one of the most strategic business partners that you can have, and you cannot go into such a key business relationship without verifying that they can deliver on the promise of ever-evolving cloud services. Just as security has moved from relatively straight-forward malware signature detection to adaptively and proactively seeking out anomalous behavior, due diligence is a painstaking process of searching out the anomalies and gaps in your current or prospective cloud provider’s offerings. In fact, due diligence may just be the single most important step you can take to effectively mitigate the risk of hosting your company’s data, applications and operating environments in the cloud.To ensure you perform due diligence equal to modern requirements, we recommend the following actions: 1. Visit the provider’s data center facilities. If they don’t permit customer visits, that should be an immediate red flag. Business customers should be able to see the facilities, equipment and people that will be hosting and protecting their valuable data. 2. Request and follow up with references. Ask to see the certifications alongside a client list that demonstrates diversity in the client base.Ask why those clients chose that provider over what other competitors were offering. 3. View compliance certificates; in the case of SSAE 16, also view the Statements of Applicability. Not only can these documents provide evidence of the certs, they can also shed light on specific security controls and operational controls. 4. Require evidence. Don’t be afraid to ask for evidence of security or performance claims; take nothing at face value.A professional cloud provider will be happy to demonstrate what they’re doing to be really secure, not just compliant. Further, continue to ask for evidence on demand as needed: access logs, data flow of firewalls, etc. 5. Take advantage of professional resources to help guide your due diligence. In particular, the Cloud Security Alliance has put together a comprehensive and detailed guide that we recommend. For instance the CSA’s Cloud Controls Matrix contains 269 standards covering every aspect of cloud security implementation, operation and maintenance. 6. Test it yourself. Order your own independent penetration tests.You may have to pay for it, but it’s a worthwhile investment: choosing a provider wisely will return dividends over the years.
  • 13.
    WHITE PAPERWith AllDue Dilgence 11www.tierpoint.com References i. (2013, Mar). Security of Cloud Computing Users Survey.The Ponemon Institute. Retrieved November 17, 2014, from http://www.ca.com/kr/~/media/Files/IndustryAnalystReports/2012- security-of-cloud-computer-users-final1.pdf ii. (2013, Feb).The Notorious Nine: Cloud Computing Top Threats in 2013.The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/ initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf iii. Young, M. (2013,Aug). 5 Benefits of BYOD with Cloud Computing. CloudTweaks. Retrieved October 1, 2014, from http://cloudtweaks.com/2013/08/article-title-5-benefits-of-byod-with- cloud-computing/ iv. McCue,T. (2014, Jan 29). Cloud computing: United States businesses will spend $13 billion on it. Forbes. Retrieved October 5, 2014, from http://www.forbes.com/sites/tjmccue/2014/01/29/ cloud-computing-united-states-businesses-will-spend-13-billion-on-it/ v. (2013, Feb).The Notorious Nine: Cloud Computing Top Threats in 2013.The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/ initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf vi. (2014, Sep). Data Breach:The Cloud Multiplier Effect in European Countries. Ponemon Institute. Retrieved October 5, 2014, from http://www.netskope.com/wp-content/ uploads/2014/09/Netskope-EU-consolidated-Research-Report-FINAL.pdf vii. Ponemon Institute. (2013, December).The Lowdown on Data Center Downtime: Frequency, Root Causes and Costs. Emerson Network Power. Retrieved August 22, 2014, from http://www.emersonnetworkpower.com/en-US/Solutions/ByApplication/ DataCenterNetworking/Data-Center-Insights/Pages/Causes_of_Downtime_Study.aspx viii. Adler, Brian. (2013, January 4).AWS Outage Lessons Learned: If Netflix Can Suffer, So Can You. Right Scale. Retrieved August 14, 2014, from http://www.rightscale.com/blog/cloud- management-best-practices/aws-outage-lessons-learned-if-netflix-can-suffer-so-can-you ix. Pryor, D. (2013, Jun 4).Ten vital questions to ask your cloud provider. HighQ. Retrieved October 1, 2014, from http://highq.com/blog/ten-vital-questions-to-ask-your-cloud-provider x. Wise, E. (2014, Sep 24). 43% of companies had a data breach in the past year. USATODAY. Retrieved November 3, 2014, from http://www.usatoday.com/story/tech/2014/09/24/data- breach-companies-60/16106197/ xi. Finneran, M. (2013, Dec 4). How mobile security lags BYOD. Darkreading. Retrieved October 1, 2014, from http://www.darkreading.com/mobile-security/how-mobile-security-lags-byod/d/ d-id/1112902 xii. Messmer, E. (2014, May 5). Data breaches 9% more costly in 2013 than year before. Network World. Retrieved October 3, 2014, from http://www.networkworld.com/article/2176589/ malware-cybercrime/data-breaches-9--more-costly-in-2013-than-year-before.html xiii. (2014, June 19). 5 Data Breach Statistics Worth Knowing. Paymetric Blog. Retrieved November 3, 2014, from http://www.paymetric.com/uncategorized/5-data-breach-statistics- worth-knowing xiv. Halzack, S. and Peterson,A. (2014, Sep 9). Home Depot breach reveals how challenging it is to ward off data theft.The Washington Post. Retrieved September 15, 2014, from http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/09/home-depot-breach- reveals-how-challenging-it-is-to-ward-off-data-theft/ xv. Eshel, P; Moore, B; Shalev, S. (2014, Sep 6).Why Breach Detection IsYour New Must-Have, Cyber Security Tool TechCrunch. Retrieved October 1, 2014, from http://techcrunch. com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/
  • 14.
    AboutTierPoint TierPoint is aleading national provider of cloud, colocation, managed services and disaster recovery solutions designed to help organizations improve business performance and manage risk. With corporate headquarters in St. Louis, Mo., TierPoint operates 13 highly-redundant,Tier III plus data centers in the states of Washington,Texas, Oklahoma, Pennsylvania, Maryland, NewYork, Massachusetts and Connecticut. To find out how TierPoint can help you with your cloud, colocation, managed services and disaster recovery initiatives — call 877.859.TIER (8437), email [email protected], or visit us at www.tierpoint.com. TierPoint 520 Maryville Centre Dr. St. Louis, MO 63141 www.tierpoint.com © 2015 TierPoint, LLC.All Rights Reserved.