The Outrageously Magnificent Cyber Pre-Cloud Migration List of Things You Need To Ask Before It’s Too Late
The following conversation never happened.
An anonymous boardroom in an undisclosed location. Nice mahogany table, leather couches, a bottle of bourbon next to the pile of papers next to me.
All could have been a very nice scene if it weren’t to the two other characters in this setting.
The first, a slick dressed man in a three parts suit and a cowboy hat sitting in front of me, wearing a name tag that reads: “the cloud provider’s security”.
Behind me, a worried looking bespectacled person, with a crumpled shirt and bizarre non matching socks. His name tag reads: “I’m on your side”.
The cowboy in front of me leans forward looks me in the eye and smacks me across the face. He’s then saying in a southern drawl: “All y`all be getting is a piece of toilet paper once per year, saying:”we be good on security” and if I feel like it, I’ll even sign it”.
The worried looking guy behind me buzzes: “we can’t take this, it gives us no assurances!”
I wave a calming hand at the worried guy and look at the cowboy carefully, and then smack him right back. “You’ll be giving us full access to your environment, including DBA rights” I growl in my not at all imaginative baritone.
The cowboy looks amused, nods to himself and in one swift motion breaks the bottle of bourbon on my head. “I’ll give you an executive summary of a penetration test we ran on the CEO’s ashtray. And let me tell ya already, it’s compliant”.
I nod thoughtfully while wiping bourbon off my face. “I knew this was a bad idea this Cloud thingy” mumbles the worried guy. “We should back out while we can”.
I smile carefully at the cowboy and in one fluid motion lift the worried guy and throw him at the cowboy’s head. “We’ll accept nothing less then your CEO’s first born to handed over to us as compensation when a security incident happen. And it will happen”.
The dazed cowboy gets up and screams at me:”WE ARE THE CLOUD. YOU WILL TAKE OUR TERMS OR GO HOST YOUR STUFF ON PREMISE. I’M LEAVING AND I’M TAKING THIS WORRIED LOOKING GUY WITH ME”.
“Tell IT to turn the Mainframe back on!” shouts the worried looking guy as the cowboy drags him out of the room.
Now I have some good news and some bad news.
he bad news? This almost imaginative dialogue (I mean seriously, who breaks a perfectly good bottle of bourbon as part of a contract negotiations?) has put the security officer in a familiar location during a negotiations between a Cloud provider and his own company. In the middle. Between the hammer and the anvil. Between a rock and a hard place. Between the ham and the cheese. Between Cheech and Chong. You get my drift.
On the one hand— you have your own organization that is fidgeting between two conflicting emotions: the feeling that the magical Cloud will offer amazing cost savings alongside IT services based on nano technology. But then, it believes that the Cloud is not as secure/robust/tamper proof as much as the company’s on premise solution — and the thought that the security officer need to sign the contract in blood assuring that the Cloud is as secure as Fort Knox. Because hey, we know US Federal Government institutes never get hacked.
On the other hand, you have the supplier who serves hundreds of companies, and will not allow any of them to dictate terms. They are the Cloud. Resistance is futile.
But now for the good news! This said scenario is, mostly, typical for for a negotiation that took place five years ago. Both the Worried Man and The Cowboy are doing much better now, thank you for asking.
The Worried Man has since realized that (proper) Cloud environment can actually be better than his own onsite infrastructure. The Cowboy had a rude awakening when he suddenly saw that there are enough cow pokers around, all doing the same services — and doing it in a much nicer way than him. The other players in that market have realized that even working within a multi-tenant environment, does not absolve you from supplying assurances to individual customers.
Assuming we solved the above and everyone is equally unhappy with the situation, let’s us go into the practical bit of this post, what I’d like to refer to as: “THE OUTRAGEOUSLY MAGNIFICENT CYBER PRE-CLOUD MIGRATION LIST OF THINGS YOU NEED TO ASK BEFORE IT’S TOO LATE”
THE OUTRAGEOUSLY MAGNIFICENT CYBER PRE-CLOUD MIGRATION LIST OF THINGS YOU NEED TO ASK BEFORE IT’S TOO LATE (*)
(*)I’ve always wanted to use the words Cyber and Cloud in the same sentence. Now I have.
- What is The Cloud: this is not an existential question. Whenever your business tells you that “WE ARE GOING INTO THE CLOUD AND BEYOND” and asks you to define the security of this process, doubt first whether the Cloud is, in fact, the cloud. Non IT personnel (and some ahem IT personnel) assume that every service hosted outside your data center that says “CLOUD” or ends with “..aaS” must be highly advanced, secure by design and generally speaking Cyber. Before you start this journey of exporting bits of your infrastructure and loads of your data to an external provider ensure that it is not a random server sitting in someone’s backyard, that the hosting provider is not owned by two blokes registered in the Seychelles and that their security is not based on a router based Firewall that was configured by your mother in law. Read this to understand a bit more about what to expect from a “real” Cloud service. Don’t be an …aaS (*)
2. Where is your Cloud: you know that little thing called the European General Data Protection Regulation? One of the requirements of this lovely upcoming regulation (and the existing directive) is that all of the EU’s citizens private data has to reside within the borders of the EU. That not only means that the Cloud provider has to ensure that your tenant does not leave the magical borders of the EU, but also that access for support purposes from outside the EU has to be controlled and captured within the contract.
3. What security controls you are expecting to have in place: let’s be honest here folks, in the vast majority of cases, a proper Cloud provider will have much better security then you do. They have the budget, they have the manpower, they have the cojones to design everything securely from the ground up. They know that for any serious security incident, they might be losing customers. So while you are still arguing that you need additional 2K EUR per year for anti-malware they have a SOC that looks like the control room of the Death Star. However, it is not always one size fit all, and some of the security building blocks of the service might be considered extra and would require an investment. Be sure you read the catalog properly and you convince your organization to chose the right tools for the job. Don’t be cheap. If you need SOC integration — pay the extra fee for monitoring. If you need to be sure that your intellectual property is not being read by some of those pesky 3rd line support engineers, adopt the Bring Your Own Key part of the contract. Make sure you thing long term, as once you go Cloud, you never come back. At least, not easily.
4. Contractual controls — gone are the days of “you take it or leave it” negotiations with large Cloud providers. While they don’t exactly do a tailored contract, they will allow for some maneuvering and generally speaking the terms of the contract do tend to be better than they used to. Things you want to consider specifically:
- Compliance with international auditing standards (at the very least, ISAE 3402/SSAE 16).
- Auditing rights — this one is a bit tricky but some auditing is mostly allowed, as long as you don’t overstep the provider’s responsibility towards other customers. Especially I would recommend checking how you can remotely audit/PT services that you either host or use from that provider. This has become a standard practice for the larger providers.
- Log retention and e-discovery capabilities — make sure you have those. You don’t want to find out that those are not included in your contract once you actually need them. Not all providers have e-discovery available for customers, but when they do — grab `em.
- Detailed responsibilities of the Cloud provider — do not accept generic terms of security, such as: “we do great security” or “we patch you long time” or “we use market best cyber cloud advanced security practices”. If they have good security in place, they won’t be afraid to detail it out. Ask them to dish it out: vulnerability management, patching, password policy, physical security, incident response, personnel security. Don’t be shy. If you agree to generic terms you will end up getting generic security.
5. Interfaces with internal systems: be sure that you can plan interfacing with internal solutions without lowering your security standards. Few things to consider: do you have a SOC and you want to monitor this environment? How will you grab logs? Do you want to consider a Bring Your Own Key option? Would that require a proxy solution that the Cloud provider supports? Are you using a Web Proxy that might impact connectivity? And for the love of god: can you integrate your identity store to this solution seamlessly?
6. Monitoring and general administrative access: you want to be sure that you are able, at the very least, to monitor privileged access/activities and enable multi factor authentication on such activity. Check if all information that is collected is actually needed, and what parts of it can be anonymized. Check what logging and monitoring options are there — some of them are premium options and some are default, and check how you can maximize your access to your own data. Remember! it’s your data still regardless on what shiny Cloud it sits on. Don’t be ashamed to ask for more.
(items 7,8,9 and 10 are intentionally left blank because, Jesus people, not all lists have to have 10 items in them).
To summarize: real Cloud services are not necessarily evil. They can do a lot of good for your organization. They can be cost efficient, they can be secured by design and they might even care about you! Keep sharp of the contractual terms, don’t be ashamed to invest a bit more and stay optimistic. Maybe you’ll live long enough to see how everyone in-source (de-cloud?) back in 10–15 years from now.