Just as a building requires proper physical security measures in place, such as doors made of sturdy materials and having appropriate types of locks; for technical infrastructure – a vendor needs to deploy extremely well secured technical security measures that are built in, configured, or implemented appropriately. You may actually think of cloud vendor’s technical infrastructure, comprising of – servers, network, platform, databases, and applications, equivalent to a building.
If the vendor deploys secure configuration guidance to secure the commonly used infrastructure component, proactive updating of products to patch security holes and other vulnerabilities as they are identified is a must. However, if the vendor, for differentiating itself from the competitors, uses less common components, check that the vendor’s staff has the technical security expertise to ensure that a secure configuration was developed.
To ensure the security of the infrastructure, evaluating the testing and approval of changes is also important. So once infrastructure is 100% secured, vendors need to ensure that changes to its components and configuration don’t open up other security loopholes.
For that purpose, policies and procedures the vendor has in place to manage changes should be evaluated, including the need for a required change to the extent that actual programming or configuration change is determined and check if the change is tested before it is moved into the production environment to ensure that it doesn’t impact operations or security.
And if programming is involved, the best practice is that programmers don’t have direct access to the production environment — this ensures that they can’t sneak in any changes without proper testing and authorization.
Alternatively, you may do the following:
- Avail cloud services from major vendors as these are mostly secure. You may check the published descriptions of their management processes and technical measures.
- Use Cloud Security Alliance, a framework that encourages vendors to adopt publishing security information
- Ask your vendor for a Service Organization Controls (SOC) report covering security and privacy.
Aequor 