Enforcing end-to-end security in the cloud will require
knowledge on how to choose the right security product and vendor, and
various best practices on SLA management.
According to Bryce Boland, Chief Technology Officer of
Asia-Pacific at FireEye, companies should follow these tips when making a
purchasing decision:
• Review the vendor's service history, obtain customer
references and ask them about their experiences with the vendor's
concern for privacy, reliability and security vulnerabilities.
• Be certain that application and infrastructure security requirements are written into your contract
with any SaaS provider. Include an audit clause whereby you or a
third-party can periodically verify that the required controls are in
place.
• Carefully examine the vendor's policies for data recovery
in the event you decide to terminate the service. Be certain that you
know how long it will take to retrieve your data as well as how long it
will take to make it inaccessible online.
• Always maintain ownership of domain names that you provide
to clients. That way, if you terminate a vendor relationship, you will
not have to retrain your clients on the correct URL to use to find you.
Boland adds that after settling on a vendor or product,
users should consider the following best practices to ensure cloud
security:
• Get a solid Service-Level Agreement. An SLA requires that
the vendor provide a specified level of system reliability. A good
vendor will strive for performance that meets Six Sigma
levels of service quality (e.g., 99.9997 percent of security patches
made within a set number of hours, not days, after public disclosure).
• Insist that the vendor's own software development process
adheres to a robust software development life cycle model that includes
tollgates that check for secure coding standards. Request that a
description of the process be appended to the SLA.
• Do not accept a policy of making silent fixes to service.
Demand notice from the vendor when security fixes are made. Specify in
the SLA that you as the CISO are to be notified directly about these
reports.
• Maintain strong encryption standards and key management for data transmission between your site and the vendor site.
The FireEye CTO will be speaking more about the topic at the upcoming CommunicAsia2014 Summit in June.
No comments:
Post a Comment