Security Questions To Ask Your Cloud Provider

NeoSpire's director of security, Sean Bruton, discusses the realities of cloud security and the key questions to ask when assessing a hosted or cloud service provider's claims.

Daniel Dern, Contributor

August 30, 2010

8 Min Read

Slideshow: Cloud Security Pros And Cons

(click for larger image and for full photo gallery)

IT resources like data, server applications, databases, e-mail, and internal or external web applications require a task list of security measures. The size and composition of that list depends on how concerned you are, like whether you care if your customer list or next year's plans are snarfed up and sold to your competition.

And some of it depends on what industry you're in, and in turn, how much and many government and industry regulations your company is subject to... and the penalties if something happens or even if you simply fail an audit.

For example, if personal data like social security or credit card numbers have been potentially exposed -- an unencrypted tape, disk, or notebook gone astray; a Wi-Fi access point left vulnerable -- it can cost twenty dollars or more per user to alert them, plus regulators may decide to whack you in the wallet. This is true whether you're housing the data inside your own company, or outside with a third-party provider like a managed hosting service; a public, private or hybrid cloud; or a tape storage firm.

And even most companies that do house their primary data store internally will still need some offsite storage, whether for business continuity/disaster recovery, archival offsite backup, or compliance requirements. So these companies have to assess whether to do these backups themselves, or farm it out.

Sean Bruton, director of security for managed hosting provider NeoSpire, talked about some of the security issues, concerns, and to-do's that a company should consider before selecting any outside hosting company or service... or electing to keep things inside.

InformationWeek SMB: First, let's start by clarifying the question: what are the relative securities and insecurities of where your company's data lives -- in a data center in your company, or in an external company, like a managed service provider, or a public or private cloud vendor?

Bruton: The first thing you're interested in, in terms of security, is the company hosting your data. What controls are in place, as a company? For example, what is the internal control in terms of who has access, physical locations, what audits do they go through during the year, and the amount of visibility they're willing to offer customers into those controls and audits.

Analytics Slideshow Calculating Cloud ROI

(click for larger image and for full photo gallery)

InformationWeek SMB: All this security sounds like it can be a lot of work to provide. How big does a company have to be to internally house data, cost effectively?

Bruton: Every company will have a different level of risk they're willing to accept. Consider a small company doing credit cards has to meet payment card industry data security standard (PCI DSS) requirements, versus some other business where data loss isn't as big a concern. Every company, big or small, has to look at their regulatory obligations with regard to security.

It takes seven to eight people to run a single 24-hour shift. For a single web application, the costs would be astronomic. Even if you're willing to go to one shift, or on-call... you're still talking about $100,000 a year just in salary.

A dedicated or cloud provider can do this work for about 10% of that, and without the capital expenditures or other commitments on your part. So unless you already have a staff for round-the-clock offsite BC [business continuity], DR [disaster recovery], and to meet your various regulatory requirements, it's not cost effective.

InformationWeek SMB: So until you're big enough to have all those teams in place, you'll never see a cost savings? Especially if you add in the learning curve, the costs of keeping up to date with new technologies, new regulations, and new threats.

Bruton: No, for a third party, that's the business they are in. In terms of operations, you can treat it like a "black box," and not worry about the technology.

But using a third party means there's a disastrous impact to security. Since you don't know what your provider is doing, you can't tell your auditors.

Slideshow: Cloud Security Pros And Cons

(click for larger image and for full photo gallery)

InformationWeek SMB: How do you solve that?

Bruton: It's unlikely that your provider will let you send your auditors into their data center. So you have to look at their audit.

What's become standard in the hosting world is a SAS70 assessment, which is being replaced by the SSAE16 auditing standard. There are Type I and Type II assessments. In a Type I, the certified public accountant comes in, reviews the host's policies and procedures, and writes up a report. But a Type I report simply audits the words on paper. It doesn't test that these controls are in place or being done effectively.

The Type II assessment, after a Type I, monitors the company for at least six months, collects evidence that controls are being done effectively, and writes up a report, including any exceptions. For example, maybe they said they would record 24x7 security video and save it for 90 days, but the auditor found only 45 days at one point.

Many companies claim they're SAS70 compliant, but that doesn't mean anything. SAS70 doesn't dictate what the controls are. You need to know what they were assessing. Many don't cover network security. Compare their controls against your own organization's.

InformationWeek SMB: What about fulfilling compliance requirements?

Bruton: A lot of government controls don't specify what you have to do. For example, HIPAA doesn't include firewall. Whereas PCI DSS is an exacting standard, it's very specific, like "you have to log everything that comes from your servers, save them, and go through them every day to make sure there's no sign of a breach." So it's very hard for companies to implement PCI DSS.

So it's nice to get that SAS70 report up front, to evaluate what controls they have in place. But you don't want to lose sight of what's happening to your data. You'd like a report on what IP addresses they've blocked [that were] trying to get to your data, it's good to have those records in case there is a breach. If you can't prove to the Federal Communications Commission or whoever that you had the controls in place, it won't be good.

Analytics Slideshow Calculating Cloud ROI

(click for larger image and for full photo gallery)

InformationWeek SMB: Are cloud providers providing adequate security? Can they assure it?

Bruton: Many companies can implement the same security controls that a third-party provider can. But a lot of cloud providers today are busy pushing out applications and capacity and features, and that may be at the expense of security.

Also, not all clouds are equal -- there's public, private, and hybrid, and there are technical differences. Using the public cloud, you're using shared resources, you don't have your own firewalls, or network VLANs [virtual local area networks], so the exposure changes.

Behind your firewall, you have a better chokepoint, which can decrease the exposure to attacks. A private cloud environment can give you your own firewall, your own VPL [virtual private line] or MPLS [multiprotocol label switching] circuit, and mitigate risks.

InformationWeek SMB: So you have to understand what any hosting or cloud vendor means when they say "security."

Bruton:: You can't just look at what they tell you, because if something does go wrong, the injured party or the regulators aren't going to go after them, they'll go after you.

For Further Reading

Strategic Security Survey: Global Threat, Local Pain

McAfee Says Security Industry Failing On Cybercrime

IT Security Unleashes Employee Complaints

About the Author(s)

Daniel Dern


Daniel P. Dern is an independent technology and business writer. He can be reached via email at [email protected]; his website,; or his technology blog,

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights