Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
How to find the right cloud provider (3)
Ian Trump, global security lead at LOGICnow
"Make sure the cloud vendor supports two factor authentication (2FA) or can supply a reliable add-on for 2FA. If you are using cloud services and not using 2FA, you are at high risk of being hacked.
"Ensure the cloud vendor has an audit log for user activity and compliance purposes. Without that it will be impossible to re-construct an insider or outsider breach.
"Ensure the cloud vendor has password expiry capability and a stale user report, unused accounts should be disabled and only removed after the data for that user has been archived in some manner.
"Ensure the cloud vendor has robust encryption for data in transit and any sensitive data such as user IDs and passwords are stored in an encrypted manner.
"Ensure the cloud vendor has both a mechanism and requirement in the T&Cs to alert you if a security breach of your account has taken place.
"Ensure the cloud vendor has procedures in place to verify a password reset request using an out of band mechanism, such as a phone call and account verification, to defeat social engineering attacks or malicious insider activity.
"Ensure the cloud vendor's storage and processing facilities are located in a country with the same or more robust privacy and data protection requirements as your own country.
"Ensure the cloud vendor requires your written authorisation to use your meta-data or data for any third party purpose."
Martyn Williams, managing director of COPA-DATA UK
"Slowly but surely, industry is starting to outline and implement cyber security standards to make industrial networks, devices, software, processes and data more secure. For example, the NIST Cyber Security Framework published in the US compiles leading practices from several standard bodies. There is no such thing as a foolproof formula, but NIST is a good place to start."
David Meyer, VP of product at OneLogin
"Businesses need to ensure that the vendor they choose supports industry standards. Such standards have their security aspects vetted publicly, unlike proprietary approaches some vendors use. Also, it's vital to ensure the vendor is up to date on certifications and third party reviews."
Jamal Elmellas, technical director at Auriga
"Be wary of thinking 'we're safe because the CSP is PCI, SOX, ISO certified'. That's untrue. They will have a specific instance such as an application, basic platform or application that may well be, but the chances are that you will be procuring a blend of services. Make sure you know what is and isn't part of that scope. For example, if you procure a tightly scoped card/payment processing application via SaaS, PCI may cover it. If you shift your entire ICT infrastructure into a CSP that claims they are ISO27001, it is highly unlikely their scope will cover your business and processes. You will need to adjust your own ISO27001 scope."
Sam Mager, commercial director at Krome Technologies
"Be cynical, not all cloud providers are made equal. Do your due diligence and understand the fundamentals of physical security - where is your data, who has access to the servers and how are they protected? Also, where else could they be? If your cloud provider has multiple data centres and replicates data for redundancy and protection, where is your data at any given time?"
