Examining Cloud Service Provider Policies and Practices
In my article about Security and Privacy in Public Cloud Computing, I described a number of concerns that the US government expressed about using public cloud computing service providers. The National Institute of Standards and Technology (NIST), part of the US Department of Commerce, published Special Publication 800-144 Guidelines on Security and Privacy in Public Cloud Computing to clearly express these concerns.
I’m examining all of these concerns with the intent of mapping the theory and recommendations expressed in SP 800-144, and supporting reference documents, to a practical IT approach. In this article I’m exploring the Policies and Practices recommendations.
Your IT organization undoubtedly has policies and practices in place that control and define how IT assets are managed. Your policies and practices should already cover areas including maintenance windows, system upgrades, software configuration, secure system access, and documentation.
There are two critical questions to ask yourself:
- Does my cloud service provider implement the policies that I require?
- How do I know?
Does my cloud service provider implement the policies that I require?
Being in the IT service provider business requires some policies in place. These core IT building blocks, including policies, procedures, practices, and standards, are established by the service provider before they open for business. And these practices evolve over time based on experience and business need.
When you ask a cloud service provider about their policies, practices, and other core IT components, they often cite industry standards and provide audit results. Those are the most generic and widely-accepted data points that will give you the confidence in their service.
Your concern isn’t whether the company has policies in place. It is how those policies map to your requirements.
For example, many providers have a policy that critical new security patches are applied to all systems within 4 hours. That’s a great policy – unless your business is interrupted when that patch gets applied during a busy time. If the provider isn’t required to notify or get permission from you for this unscheduled downtime, it could irreparably harm your business.
To answer this question, you must map your IT requirements against the provider’s. This includes all aspects of IT deployment, operations, security, and maintenance. To simplify the process, consider providing your department’s IT documentation to the provider and asking them to either commit to executing them as written or to documenting the differences for review.
How do I know?
Once your cloud service provider has implemented the agreed-upon policies, there’s nothing to worry about, right? Wrong. Sometimes details get overlooked or communications break down. Intentionally or not, the right practices and policies may not be put in place. They will very likely be refined over time in response to business need or operational optimization.
You must verify that the correct policies are implemented and that they continue to be implemented over time. The easiest way to do this is a combination of two elements:
Change control. Whenever the provider makes any changes to their own internal policies, or any practices or details that impact your systems, they must notify you in writing prior to or immediately after the change. Similarly, whenever your requirements change, you must notify the provider so they can comply.
Regular audits. Any long-term service provider relationship must include a regular audit requirement to ensure adherence to the written agreement. This can be performed by your staff but often an independent third-party auditor will be less expensive, faster, and provide a party-neutral evaluation that is accepted by everyone involved. When audits reveal discrepancies between documented requirements and actual practices, there should be an opportunity for mutual agreement to either comply with or change the policy.
While all of this can seem daunting, it doesn’t have to be. Most of the policy documentation is already in place in your organization and in the cloud service provider’s. Differences are often minimal, with the cloud providers often exceeding your requirements in advance. When in doubt, a discussion on the differences almost always brings better understanding and mutual agreement.
If you have comments on this article please join Mike on twitter @mikedancissp.