CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Similar documents
CONSIDERATIONS BEFORE MOVING TO THE CLOUD

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

The simplified guide to. HIPAA compliance

Demonstrating Compliance in the Financial Services Industry with Veriato

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Data Security: Public Contracts and the Cloud

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Compliance in 5 Steps

PCI Compliance. What is it? Who uses it? Why is it important?

Key Customer Issues to Consider Before Entering into a Cloud Services Arrangement

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

A company built on security

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Tracking and Reporting

Cybersecurity in Higher Ed

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Operational Network Security

6 Vulnerabilities of the Retail Payment Ecosystem

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

CCISO Blueprint v1. EC-Council

Checklist: Credit Union Information Security and Privacy Policies

Regulation P & GLBA Training

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Introduction. Read on and learn some facts about backup and recovery that could protect your small business.

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)

What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered

Cloud Computing Risks & Reality. Sandra Liepkalns, CRISC

Projectplace: A Secure Project Collaboration Solution

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Putting It All Together:

What can the OnBase Cloud do for you? lbmctech.com

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Securing Information Systems

ADIENT VENDOR SECURITY STANDARD

DeMystifying Data Breaches and Information Security Compliance

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Chapter 12. Information Security Management

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Disaster Recovery Self-Audit

Physical Rack Level Security: Restricting and Monitoring Access at the Rack. Mike Fahy Business Development Manager, EAS Southco, Inc.

Updated December 12, Chapter 10 Service Description IBM Cloud for Government

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

PCI DSS Compliance. White Paper Parallels Remote Application Server

Oracle Database Vault

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Moving Workloads to the Public Cloud? Don t Forget About Security.

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Security Model Overview. WHITE PAPER July 2012

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Information Security in Corporation

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

MultiPlan Selects CyrusOne for Exceptional Colocation and Flexible Solutions

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

WHITE PAPER. Title. Managed Services for SAS Technology

Cloud Computing, SaaS and Outsourcing

Cyber Risks in the Boardroom Conference

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

IS Today: Managing in a Digital World 9/17/12

Automating Security Administration Are We There Yet? John Phelan, Ph.D. HIPAA Summit XIII September 26, 2006

Security Audit What Why

ISO27001 Preparing your business with Snare

Why Continuity Matters

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

BRINGING YOUR DOCUMENTS INTO THE DIGITAL AGE REMOTE DATA BACKUP: THE SOLUTION TO DATA DISASTER

Village Software. Security Assessment Report

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

Why you MUST protect your customer data

Security Policies and Procedures Principles and Practices

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

The Common Controls Framework BY ADOBE

Choosing a Secure Cloud Service Provider

SDR Guide to Complete the SDR

Keys to a more secure data environment

Trust Services Principles and Criteria

IT Privacy Certification Outline of the Body of Knowledge (BOK) for the Certified Information Privacy Technologist (CIPT)

EXECUTIVE REPORT. 4 Critical Steps Financial Firms Must Take for IT Uptime, Security, and Connectivity

Cybersecurity The Evolving Landscape

Building a Case for Mainframe Security

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

PCI DSS COMPLIANCE DATA

Securing Cloud Applications with a Distributed Web Application Firewall Riverbed Technology

Department of Public Health O F S A N F R A N C I S C O

CLOUD COMPUTING READINESS CHECKLIST

Disk Encryption Buyers Guide

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Protecting Your Cloud

Transcription:

CONSIDERATIONS BEFORE MOVING TO THE CLOUD 44 Bearfoot Road, Suite 1A Northborough, MA 01532 ceservices.com 508-919-8280 info@ceservices.com

Contents Introduction..3 Organizational Compliance Related to IT..4-5 Compliance Audits 4 Security Measures 5 Hosting Facility, Data Backup, & Infrastructure Backup Location(s) 5-6 Hosting Facility Location.5 Backup Locations.... 6 Service Levels..6 Cloud Provider Shutdown.7 Data Security.7 Transmission of Data..8 Initial Setup. 8 Exporting and Removing Data..8 Encryption...9 Data Breach Notification....10 Questions to Ask Potential Provider 10 2

Introduction When talking technology today, it s very rare that the word Cloud doesn t come up. The benefits touted with the cloud include ease of use, easy to deploy, scalability, reduced capital expenditures, and the list goes on. Cloud services include virtualization, storage, backup solutions, software-as-a-service, business continuity and more. And, whether your business is considering one solution or five, there are multiple factors that management needs to consider before going to the Cloud. In this guide; we will discuss the following areas: Organizational Compliance Data Security Data Center Transmission of Data Location of Data Service Levels Data Breach Notification Encryption of Data Provider Shutdown 3

Organizational Compliance Related to Information Technology Many state and federal regulations apply to your business whether you are privately or publicly held. Regulations are always changing and you don t want to be caught off-guard. Making sure you meet regulatory requirements can be quite complicated and often times frustrating. Now, let s throw cloud computing into the mix. A lot of concern has been expressed around cloud computing, the security measures employed and meeting compliance requirements such as: Sarbanes-Oxley (SOX) Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry Data Security Standard (PCI DSS) Protection of Personal Information for MA Residents (201 CMR 17.00) Gramm-Leach-Bliley Act (GLBA) Compliance Audits In your review of cloud services providers, you ll want to inquire about where your data will be hosted to ensure they meet the specific compliance requirements for your business. For data centers to be compliant they need to pass a variety of audits based on what data will be hosted in the facility. For example, to be HIPAA compliant they need to pass an audit to guarantee the facility follows the Code of Federal Regulation (CFR) set by HIPAA inspectors. The inspectors will take a comprehensive look at the facility to make sure that all data stored is protected and only available to authorized users. Once complete, a report is generated documenting that the provider has the proper procedure and policies in place to provide HIPAA hosting solutions. Other compliance audits include SSAE 16 (Statements on Standards for Attestation Engagements No. 16) formerly known as SAS 70, SOC 1, SOC 2, and SOC 3, and PCI DSS. For the Protection of Personal Information there are certain security measures that you need to ensure your third party vendor is adhering to such as encryption of data and access control measures. According to a Symantec Study State of Cloud Global Results January 2013, more than half of survey participants said they were concerned about being able to prove they have met cloud compliance requirements. And, 23% revealed they had been fined for cloud privacy violations. The following websites provide more detailed information on each of these compliance audits: http://www.aicpa.org/soc http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit https://www.pcisecuritystandards.org/security_standards/ 4

Security Measures Data centers must provide ample security measures to protect the data of their clients to meet certain compliances. These security measures include: HTTPS and SSL Certificates For web-based access to information which is encrypted and secured to prevent unauthorized connections Encryption of data stored on servers A Secure Firewall - A secure firewall will prevent any unauthorized access to protected files. Remote VPN Access For authorized users to access the network using a remote computer. Disaster Recovery - A documented backup recovery plan in case of lost data or server malfunction. Hosting Facility, Data Backup, and Infrastructure Backup Location(s) Hosting Facility Location Make sure the hosting facility location is not too close to your headquarters. Chances are if the two are close and a natural disaster damages or shuts down your corporate location, it could happen to the data center as well. You want to be close to your data, but not too close. Choose a facility away from flood zones and areas subject to hurricanes, tornadoes, earthquakes, as well as airports and power plants. This may seem easier said than done these days, but a reputable data center will have a well thought out location plan. During Superstorm Sandy, many data centers in New York City were down due to flood and power outages. These locations were in low lying areas in Manhattan and were susceptible to flooding. In many instances, the water flooded the generators preventing them from working. Airports and power plants typically have high electromagnetic interference or radio frequency interference. Because they are such large sources of interference they have the potential to impede the performance of the data center s servers and networking services. 5 5

Backup Locations When assessing a provider for cloud services, ask about backup locations. Are they located close enough that if the data center were to go down, the backup would be accessed in a reasonable amount of time. If business operations needed to be switched from one data center to another, are the locations close enough that your business wouldn t experience a significant of downtime. And, as in choosing the hosting facility, make sure backup locations are far enough away that they are unlikely to be affected by the same disaster. How Much Downtime Can Your Business Afford? 99% Uptime vs. 99.9% Uptime Service Levels Service levels are defined in a Service Level Agreement also referred to as a SLA. Service levels include uptime, security, availability and much more depending on the nature of your business. Before discussing service levels, consider what is important to your business. Identify what your business requires in terms of your technology and processes. Do you have an e-commerce site? If so, it s important that your uptime is as close to 100% as possible since you want your customers to have access at any time to order your products. You will see a lot of providers offering 99.9%. Think about what would happen to your business if the hosting facility had a security breach or Internet access outage. What business processes would be interrupted? Operations, Customer Service, and Employee productivity could all come to a halt. Data is a crucial element of your business and its security needs to be a priority when considering a cloud service provider. Not all data is created equal. Financial information, employee information, and competitive data could all be considered data that needs a high service level in terms of security. How data will be protected should be laid out in your SLA*. If you find you need higher levels of service in terms of data protection, disaster recovery or any of the services above, these should be clearly identified in the SLA as well as what the consequences are if the agreed upon levels are not met. Once you identify the business requirements, you can decide what type of services you need. The result can also determine whether to consider a public, private, or hybrid cloud model. 6

Cloud Provider Shuts Down A cloud provider could shut down for a variety of reasons such as bankruptcy, an un-recoverable power outage, contract disputes, vendor issues, etc. Although it s rare for a provider to shut down immediately without warning, it can happen. Therefore, it s important to have a contingency plan in place that addresses how you will get your data back. If you are working directly with the data center, the data must be given back to the customer since they do not have the capability to transfer data to another provider. However, if you use an IT Managed Services provider for cloud services, they can take care of giving your data back to you or transferring it to another supplier. To avoid complications due to a shutdown or interruption in cloud services: Make sure the provider has a documented plan to give your data back including method of transportation and formatting in case of closure. In the SLA, clearly identify the ownership and control rights of all company data Assess the financial strength and check references of the provider Have a backup plan in place to protect your business and your data in case your cloud services provider goes out of business. Data Security The security and integrity of data in the cloud causes a lot of hesitation for business owners and decision makers when it comes to considering cloud services. Before looking for a cloud services provider, inventory your data. Identify the different types of data whether it s highly sensitive or not, how it s managed, and how it s stored. Consider whether or not it would be best for your business to store your data in the cloud. You may have to comply with industry or state regulations and going to the cloud may complicate processes. Once the decision is made to move to the cloud, many factors regarding data security come into play when selecting a provider. Here s a high level checklist of what to ask of a Cloud Services Provider: Data Center Facility Security Find out what the physical security measures are to prevent unauthorized access to servers such as surveillance, key card access, security guards, etc. Infrastructure Security - Make sure controls are in place to prevent hackers from stealing your data. A reputable provider will have anti-intrusion measures such as secure firewalls, SSL (Security Sockets Layer), encryption, antivirus software, and a password policy. Accessibility of Data Unless you have a dedicated server, chances are highly likely that you will be sharing a server with other cloud service provider clients. This is referred to as multi-tenancy. Ask how they separate information and systems and make sure that unauthorized users are not allowed to get their hands on your data. Data Loss Find out what provisions are in the contract if the provider loses or corrupts your data. There should be a clearly defined plan in your contract, if not; you may want to consider going elsewhere. Data Backup - Make sure daily backups are performed and that the backups are tested. Performing regular backup routines is critical but verifying these routines actually work is just as vital. 7

Transmission of Data Initial Setup You are going to need to move your data and files which are stored on hard drives, servers, or tapes into the cloud. This means you will need to upload your data to the cloud server of the hosting provider. There are many ways to do this so make sure you ask your provider how they will make the switch. Some providers will have you upload all of your existing files, while others will just start with new data. Existing data will remain on the systems, or will have to be uploaded separately. As uploading of files demands a lot of resources, you should understand when it will be done. If your files are transferred during business hours, this will result in sluggish Internet speeds. It s best to work with a provider who is flexible as to when you want the data uploaded. Also, ask the cloud provider what file and document formats are supported. While most of the larger cloud providers support almost every type of file/document, there are some providers that may have limitations as to the type of file that can be uploaded, stored, and how you can use it. The takeaway here is to determine if you will need to convert files and data to a format the provider supports. If you need data conversion, ask if they provide conversion tools and support. This will make conversion a lot smoother. Keep in mind, data conversion can be a very time consuming process. DATA CONVERSION CAN BE A VERY TIME CONSUMING PROCESS. IF DATA CONVERSION IS NEEDED, ASK YOUR PROVIDER IF THEY PROVIDE TOOLS AND SUPPORT. Switching Cloud Providers Exporting and Removing Data Businesses may think that the cloud service provider they initially contract with will be the one they always use. This can be risky thinking when it comes to technology. There will come a time when you need to remove your files from the service. Be sure to ask the provider about their exit process. Some have been known to charge incredibly high rates to remove files. A good cloud services provider will assist you in removing files and will have a clear solution. As your files are saved on hard drives on servers, your data once removed, could remain on these drives. This is obviously something you wouldn t want, so ask what the provider does with the files once you remove them. 8

Encryption To give sensitive data the highest level of security, it should be stored in encrypted form. The goal is to make data unintelligible to unauthorized readers and difficult to decipher when attacked. Encryption operations are performed by using random encryption keys. The randomness of keys makes encrypted data harder to attack. Keys are used to encrypt the data, but also perform decryption. Keys are often stored to allow encrypted data to be decrypted at a later date. When it comes to data encryption, you will typically hear two terms data at rest and data in transit. Examples of data at rest include data stored on your computer s hard drive or in a storage facility. Data in transit includes data transferred through email, mobile devices, a USB stick and can even include a backup tape if you are delivering it from point a to point b. To make sure your data is protected ask your cloud provider about encryption methods. It is important to make sure your data is encrypted all the time when it s in transit and when it s at rest. Learn about how the cloud provider would manage and protect your data s encryption keys, especially when it comes to rules for access control. Although firewalls can be excellent protection from external threats, it s important to protect against internal attacks as well. Encryption for data at rest can help prevent attacks by employees who have access to sensitive information. These types of attacks are often even more devastating and cannot be prevented by firewalls. While viruses and stolen banking and credit card information are the rage in the headlines, less publicized incidents such as data theft or destruction by disgruntled former employees can result in far more damage. 9

In addition to talking to your provider about encryption methods, ask these questions: 1. How many employees at the hosting facility have access to your databases? 2. How are they storing passwords? 3. Do you they security policies in place that include auditing database security and monitoring for suspicious activity? 4. What is the security plan if database security is breached? While preventive security mechanisms like encryption are readily available, oftentimes they are not implemented to secure data from internal and external threats. Data Breach Notification Businesses are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorized access, modification or disclosure. The same goes for data center and cloud services providers. When looking for a provider make sure they have a documented plan on handling data breaches. Questions to ask a potential cloud services provider: What constitutes a data breach? What measures are in place to prevent and detect a security breach? How are breaches investigated? Under what criteria are more severe breaches escalated in order to be handled in a manner appropriate to the risk they pose? What s your notification procedure? The notification procedure should document how you will be notified i.e. phone call, letter, or email in the event of a breach and what the timeline is from the time of the breach to the time of notification. What are your incident response procedures You should attempt to require the cloud provider to keep to certain procedures. Particular data breach response obligations may include: Immediate investigation after a breach Providing prompt notice to the customer, within hours of the breach Written reports and status reports concerning the breach Keeping certain information that would be relevant to a data breach (including logs, planning documents, audit trails, records and reports) Documentation of corrective actions Most states have set security breach notification laws. Be aware of what the laws are in your state and how your cloud services provider plans to meet the requirements. A part of your strategy for security in the cloud is the need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider. DATA BREACHES Target 110 million customers personal and payment information exposed Reason: Stolen Credentials allowed Hackers to access Target Networks Heartland Payment Systems 134 million credit cards exposed Reason: SQL injection to install spyware on Heartland's data systems. TJX 94 Million Credit Cards Exposed by Hacker Reason: Network Wasn t Protected with any Firewalls Fidelity National Information Services 3.2 million Customer Records including Credit Card, Banking and Personal Information. Reason: Employee Theft Resource: CSO Security and Risk csoonline.com 15 Worst Data Security Breaches 9

The move to the cloud is a big decision. For more information on cloud services or any of the material covered in this whitepaper: Contact us info@ceservices.com or (508) 919-8280 44 Bearfoot Road, Suite 1A Northborough, MA 01532 ceservices.com 508-919-8280 info@ceservices.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback