Cloud Application Security
I recently led an interactive discussion on cloud security at an Office of the Cloud event in Menlo Park, CA.
I started off by asking, why does cloud security matter? As a group we discussed incident response, loss of all sorts (data, time, reputation, money), protection of intellectual property, human error, insecure default settings, and more. A desire to take a proactive, rather than a reactive, approach to cloud security emerged.
Taking a step back, I talked about two types of cloud companies:
- Companies that started out with on-premise technology and have recently moved to the cloud. A typical security challenge for this group is figuring out how to map existing controls to the new setup where they typically have far less control than they did in the past.
- Companies that were “born” in the cloud. Often these companies are started when someone has a great idea that they want to make a reality, and they discover that leveraging the cloud is the easiest way to get started. These companies don’t necessarily worry about security right away, until someone (usually a prospect or customer) asks, “so what are you doing about security?”
I think there are 3 main reasons why security matters for cloud companies.
Reason #1: Sales / Acquisition. A potential customer or acquirer wants to know what the company is doing about security.
Reason #2: Press. The company wants to avoid negative press headlines resulting from a security breach. Let’s think about this for a moment, though. Isn’t the reason any company cares about press because it doesn’t want bad press to affect their sales or potential acquisitions? (See: Verizon and Yahoo). So perhaps we’re back to just the one reason — sales.
Reason #3: Compliance. The company needs to comply with PCI, HIPAA, or another requirement in order to do business or meet a customer requirement. Sounds familiar? A primary reason for compliance is to avoid slowing down… sales.
Remember when Bill Gates wrote that company-wide memo to all the employees at Microsoft talking about Trustworthy Computing? Was that for a noble cause? I suspect it was because Microsoft was starting to get questions about its security, and it didn’t want security issues to get in the way of… you guessed it, sales.
So if sales matters to companies, and security matters for sales, how does a cloud company get started when it comes to “doing” security?
A quick Google search tells us that there are plenty of resources on the subject.
- The BSIMM has a list of 110+ application security controls.
- ISO27017 has a list of 120+ cloud security controls.
- The CCM (published by the Cloud Security Alliance) has a list of 130+ cloud security controls.
My brain just exploded. What’s a practical person supposed to do with all of this information?
Throughout my career, I’ve provided advice to large enterprises building vendor risk management programs and small start-ups looking to pass a security audit by an important prospect.
Here are my thoughts on the bare minimum security controls that should be in place for any cloud company:
- Incident Response Plan. Things can, and will, go wrong. Write down what you will do when something bad happens.
- Acceptable Use Policy. Expectations for employee behavior should be set in black and white. This document should be presented to every new (and existing) hire, signed, and held onto by HR.
- Manual External Penetration Test. What can skilled hackers do to your company’s website? Hire some, and find out.
- Vulnerability Management Policy. What will you do when you find out about security issues? Write that down. Tip: You don’t need to do everything right away for every single security issue. Instead, rank your issues according to risk and deal with them accordingly.
- Public Security Statement. Security can be a key differentiator in today’s market. Share what your company does about security publicly so customers and prospects can read it for themselves.
Once you’ve got those nailed down, you can proceed with implementing the other 120+ controls recommended by CSA. Good luck.