Moving to the cloud can be a cost-effective option for companies looking to reduce their responsibility, overhead and the management of IT infrastructure. Andy, cyber security specialist at OmniCyber Security, has seen many companies that have made the transition with minimal disruption, reducing their costs and gaining an increased level of support. He goes in-depth on security in the cloud.
But what about security and compliance considerations? This part of the due diligence process seems to be an afterthought in the decision making process for many companies and on occasion has been problematic. To put some context around this I thought it would be worth sharing a few key points for consideration to help customers shape their own due diligence process and identify key questions which should be addressed from the outset.
What happens in the event of a breach?
Customers have come to us after a breach and have highlighted the response from their hosting platform. As with most hosting agreements, very few individuals are allowed on the data centre floor, which ultimately impacts investigations. When requesting an image of the server, customers incur costs for an engineer, the disks and shipping, which are ultimately quite high. Most agreements I have reviewed contain nothing about how the hosting provider will assist you in the event of an incident. Its an important question to ask from the outset.
When reviewing hosting providers, we have seen that most of them attach some form of badge to their website -ISO27001, PCI DSS or similar. It’s worth investing some time into understanding whether the hosting provider has been externally audited or self-certified against these standards, including which company has conducted the audit. Any legitimate hosing provider should be willing to provide copies of accreditation certificates.
As part of most IT Security accreditations there will be a number of security activities that will need be to undertaken; for example, vulnerability scanning, penetration testing etc. It’s worth requesting some level of evidence that these are conducted. In a recent engagement, we came across a hosting provider that was conducting vulnerability scans on a firewall they had developed and configured internally – effectively marking their own homework.
De-scope your environment?
For organisations looking to de-scope their environment for the purpose of PCI, I would recommend obtaining written confirmation that the hosting provider is actively maintaining PCI compliance. As part of your due diligence, ask the provider to share a copy of their AOC or ROC. It may also be wise to have it reviewed by an external QSA company.
What background checks do they run?
A key part of the due diligence process is to understand the process the hosting provider uses to recruit personnel internally. After all, these personnel may have access to a lot of sensitive data for multiple customers. BS7858 is a security vetting standard that provides a thorough check of potential personnel and should be used as a guideline for what checks to expect.
Although the list is by no means exhaustive it is designed to help customers ask some basic security and compliance related questions when choosing a hosting provider.
Andy has been working within the IT Security and technology sector for the last 15 years. He has worked closely with a range of companies, from SMEs to large financial institutions. His goal has been to develop a company that helps its customers develop a measured approach to IT Security and Compliance. Educating customers to make informed choices, based on the threats their organisations face and the compliance standards relating to their sectors. For more information visit www.omnicybersecurity.com.