Enforcing end-to-end security in the cloud will require knowledge on how to choose the right security product and vendor, and various best practices on SLA management.
According to Bryce Boland, Chief Technology Officer of Asia-Pacific at FireEye, companies should follow these tips when making a purchasing decision:
• Review the vendor's service history, obtain customer references and ask them about their experiences with the vendor's concern for privacy, reliability and security vulnerabilities.
• Be certain that application and infrastructure security requirements are written into your contract with any SaaS provider. Include an audit clause whereby you or a third-party can periodically verify that the required controls are in place.
• Carefully examine the vendor's policies for data recovery in the event you decide to terminate the service. Be certain that you know how long it will take to retrieve your data as well as how long it will take to make it inaccessible online.
• Always maintain ownership of domain names that you provide to clients. That way, if you terminate a vendor relationship, you will not have to retrain your clients on the correct URL to use to find you.
Boland adds that after settling on a vendor or product, users should consider the following best practices to ensure cloud security:
• Get a solid Service-Level Agreement. An SLA requires that the vendor provide a specified level of system reliability. A good vendor will strive for performance that meets Six Sigma levels of service quality (e.g., 99.9997 percent of security patches made within a set number of hours, not days, after public disclosure).
• Insist that the vendor's own software development process adheres to a robust software development life cycle model that includes tollgates that check for secure coding standards. Request that a description of the process be appended to the SLA.
• Do not accept a policy of making silent fixes to service. Demand notice from the vendor when security fixes are made. Specify in the SLA that you as the CISO are to be notified directly about these reports.
• Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
The FireEye CTO will be speaking more about the topic at the upcoming CommunicAsia2014 Summit in June.
• Control domain access as well as where and when services can be accessed by your users. If possible, be certain that they must first log in to your network to access corporate information on the SaaS vendor site.