So when you choose a cloud provider, it may not seem to be an easy task, right! Cost might be a factor as this is not a sole commodity decision that you make. It is a critical research for determining whether what the vendor offers would match up to your business needs and the sensitivity of the data. So, when you want to evaluate cloud providers, there are five attributes which can be examined. The right attribute would vary as per your security needs and objectives.
1. Cloud Providers Transparency
When an enterprise selects a cloud provider, it is not only to make a purchase or sign an agreement. Though a contract involves relationship between the customer and the cloud provider to engage on frequent basis, the customer needs to have a clear picture of the provider's commitments which relate to security as well as privacy other than the responsibilities which the customer retains.
Remember, here, transparency is critical. The vendor needs to make clear commitment on what controls are in place, who manages the technology, the data residence and such responsibilities it assumes as custodian of the crucial data.
2. Risk Mitigation
What is Risk Mitigation? Well, it is a key component of any security strategy, when consigning a data to a third party has a chance to reduce or to increase risk. An enterprise, for its own security strategy, needs to investigate the different steps that the cloud provider takes to mitigate risk surrounding the service offerings. An important risk in moving of the enterprise service to the cloud is to manage the end user access for ensuring authorized access only gets permitted to the stored information. When people think about "accessing data", they are actually thinking about provisioning permissions for viewing or for making changes to the data. However, bigger risk is at the revocation of access, when a person leaves the company.
His access to on-premises services can be easily revoked, through the internal directory server of the company. But, if this same directory server is not integrated with the cloud services of the company, access may not be revoked on time, or at all. Because of this, former employee can even continue to have access to the services, which can even be detrimental to the company. A solution to this is single sign-on, as it offers a way for enterprises to integrate, to manage and even to revoke access from a centralized database.
However, as much as companies do want the various benefits of a single sign-on, they do not want to pass their credentials to third parties. Oracle provides such service, where the federated identity technology in its cloud service solves this very problem. What it does is it offers all advantages of single sign-on without any downside to it. So long as the directory service speaks SAML, which is Security Assertion Markup Language. This technology can accept assertions from a customer directory service and then authenticate the user. When some person gets removed from the company directory, the Federated identity can enable them to be removed simultaneously from the cloud service.
Now, for an end user, this whole process irrespective of where authentication takes place, appears as if it is running within the network of the company. This smooth integration is quite unusual and important when hybrid clouds come into the picture.
3. Capabilities proof
It is all well and good for a cloud provider to talk on what security mechanisms it has in place, though it is more important that it can demonstrate the controls verification. Security certifications are actually one method of doing this, where they offer easy and objective way for enterprises to compare providers and also to ensure that the provider who is selected does meet their needs. In regulated industries, like financial services or healthcare industries, it is very important that the provider complies with the regulatory needs of the enterprise. Certification is a proof that the provider does meet the requirements.
For some of the enterprises, compliance is kind of difficult for achieving on their own. For them, it is more critical for choosing a cloud provider which can deliver such service. Sometimes, a vast portfolio of regulatory frameworks is not enough or does not provide the level of certainty and the desired proof. In such situations, it is crucial to know at first if the cloud provider allows the customers to perform an audit or a penetration test, and under what situations, any time, only during certain point of time, unannounced and so on.
4. Options of integration
After you have evaluated the data criticality which is being moved and have set the risk criteria for comparing cloud providers, it is not time for determining what degree of customization and integration is needed, with more inclination towards a private managed cloud, the preferred solution.
You need to know that a cloud does not exist in a vacuum, and applications that run in the cloud may interact with other cloud based apps in different kinds of clouds along with non cloud based applications. Some of these data might be housed on-premise, some in a managed private cloud and some in a public cloud. So, no matter how simple it many seem to appear, to determine how it can fit within the IT infrastructure and the enterprise is the most important consideration. Also, equally important is the connections through which cloud based data would travel. At this point of time, do not overlook the security options which are associated with network-to-network connections.
5. Breadth of information
Cloud services can be offered to customers in multiple industries, which can include Retail, Healthcare, Life Sciences, Financial Services and Government.Due to this, new expertise has been developed in security and compliance from which all customers can benefit. For instance, to have economies of scale, common security controls within industries have been looked upon. Almost 75 to 80 percent of controls are similar across industries, and these became the baseline control in cloud offerings.This consistency in controls can allow for automation of the operational management and for monitoring the controls.
1. Cloud Providers Transparency
When an enterprise selects a cloud provider, it is not only to make a purchase or sign an agreement. Though a contract involves relationship between the customer and the cloud provider to engage on frequent basis, the customer needs to have a clear picture of the provider's commitments which relate to security as well as privacy other than the responsibilities which the customer retains.
Remember, here, transparency is critical. The vendor needs to make clear commitment on what controls are in place, who manages the technology, the data residence and such responsibilities it assumes as custodian of the crucial data.
2. Risk Mitigation
What is Risk Mitigation? Well, it is a key component of any security strategy, when consigning a data to a third party has a chance to reduce or to increase risk. An enterprise, for its own security strategy, needs to investigate the different steps that the cloud provider takes to mitigate risk surrounding the service offerings. An important risk in moving of the enterprise service to the cloud is to manage the end user access for ensuring authorized access only gets permitted to the stored information. When people think about "accessing data", they are actually thinking about provisioning permissions for viewing or for making changes to the data. However, bigger risk is at the revocation of access, when a person leaves the company.
His access to on-premises services can be easily revoked, through the internal directory server of the company. But, if this same directory server is not integrated with the cloud services of the company, access may not be revoked on time, or at all. Because of this, former employee can even continue to have access to the services, which can even be detrimental to the company. A solution to this is single sign-on, as it offers a way for enterprises to integrate, to manage and even to revoke access from a centralized database.
However, as much as companies do want the various benefits of a single sign-on, they do not want to pass their credentials to third parties. Oracle provides such service, where the federated identity technology in its cloud service solves this very problem. What it does is it offers all advantages of single sign-on without any downside to it. So long as the directory service speaks SAML, which is Security Assertion Markup Language. This technology can accept assertions from a customer directory service and then authenticate the user. When some person gets removed from the company directory, the Federated identity can enable them to be removed simultaneously from the cloud service.
Now, for an end user, this whole process irrespective of where authentication takes place, appears as if it is running within the network of the company. This smooth integration is quite unusual and important when hybrid clouds come into the picture.
3. Capabilities proof
It is all well and good for a cloud provider to talk on what security mechanisms it has in place, though it is more important that it can demonstrate the controls verification. Security certifications are actually one method of doing this, where they offer easy and objective way for enterprises to compare providers and also to ensure that the provider who is selected does meet their needs. In regulated industries, like financial services or healthcare industries, it is very important that the provider complies with the regulatory needs of the enterprise. Certification is a proof that the provider does meet the requirements.
For some of the enterprises, compliance is kind of difficult for achieving on their own. For them, it is more critical for choosing a cloud provider which can deliver such service. Sometimes, a vast portfolio of regulatory frameworks is not enough or does not provide the level of certainty and the desired proof. In such situations, it is crucial to know at first if the cloud provider allows the customers to perform an audit or a penetration test, and under what situations, any time, only during certain point of time, unannounced and so on.
4. Options of integration
After you have evaluated the data criticality which is being moved and have set the risk criteria for comparing cloud providers, it is not time for determining what degree of customization and integration is needed, with more inclination towards a private managed cloud, the preferred solution.
You need to know that a cloud does not exist in a vacuum, and applications that run in the cloud may interact with other cloud based apps in different kinds of clouds along with non cloud based applications. Some of these data might be housed on-premise, some in a managed private cloud and some in a public cloud. So, no matter how simple it many seem to appear, to determine how it can fit within the IT infrastructure and the enterprise is the most important consideration. Also, equally important is the connections through which cloud based data would travel. At this point of time, do not overlook the security options which are associated with network-to-network connections.
5. Breadth of information
Cloud services can be offered to customers in multiple industries, which can include Retail, Healthcare, Life Sciences, Financial Services and Government.Due to this, new expertise has been developed in security and compliance from which all customers can benefit. For instance, to have economies of scale, common security controls within industries have been looked upon. Almost 75 to 80 percent of controls are similar across industries, and these became the baseline control in cloud offerings.This consistency in controls can allow for automation of the operational management and for monitoring the controls.
No comments:
Post a Comment