momius - Fotolia
My organization is increasing cloud use and was told that extensive due diligence was critical. What are some of the cloud security controls that should be considered for both internal and cloud provider due diligence?
Due diligence is the process of evaluating cloud vendors, and in some cases internal procedures and resources, to ensure business objectives are met and the company's interests are protected. In the case of selecting a cloud computing provider, due diligence entails investigating the potential cloud providers to understand how they implement best practices, protect their customers' assets and meet the scope of your requirements.
Due diligence should include verifying that the cloud provider can offer the cloud security controls and meet the scope of services expected by the enterprise. A request for proposal (RFP) can be used to define what is expected and cloud providers can then use the RFP to formulate their responses. The RFP should specify what is required in terms of service-level agreements, cloud security controls, compliance requirements, data and systems integration needs, service management, access to cloud provider audit reports, and in some cases on-site reviews.
Customers should review the certifications obtained by cloud providers. Amazon Web Services (AWS), for example, publishes a risk and compliance whitepaper that describes its risk management practices and cloud security controls. It also lists its certifications with respect to ISO 9001, HIPAA, PCI DSS and others.
When reviewing certifications, consider which services the compliance applies to. For example, AWS EC2, S3 and Redshift are all certified for use with data subject to HIPAA regulation but others, such as Simple Queue Service and the Container Service, are not. In some cases, such as Elastic MapReduce, particular configurations are required to comply with HIPAA requirements.
When conducting due diligence, use multiple techniques including document review, proof of concepts and trial evaluation periods to collect as much information as possible, in order to mitigate risk to your organization.
Find out how redundant cloud controls are creating problems for enterprises
Read more on assessing enterprise cloud security controls
Discover the security controls offered by Amazon Elastic File System
Dig Deeper on Cloud provider platforms and tools
Related Q&A from Dan Sullivan
When running AWS in our enterprise, it has been a challenge to keep tabs on active resources. Which native tools define and maintain configuration ... Continue Reading
Microsoft Azure VM Scale Sets help cloud admins manage a collection of VMs as a single unit. But what workloads are they best suited for? Continue Reading
Our enterprise stores different types of data, including video and graphics, in Amazon S3. What options are available to secure Amazon S3 buckets and... Continue Reading