Add to collection(s) Add to saved
  1. Business
  2. Management

With All Due Diligence

WHITE PAPER
With All
Due Diligence
This paper serves as a
guide to investigating
and understanding
a prospective cloud
provider’s true security
capabilities in a modern
cloud environment.
www.tierpoint.com
With All Due Dilgence
WHITE PAPER
Table of Contents
Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
The Four Cornerstones of Your Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1: Verify Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2: Verify Certifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3: Verify the Provider’s Own Due Diligence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4: Verify Data Protection.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conclusion and Recommendations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
www.tierpoint.com
2
With All Due Dilgence
Cloud Provider Due Diligence
At A Glancev
Risk
WHITE PAPER
Executive Summary
Do you hand over your company’s data to your cloud
services provider without making sure they are fully
capable of protecting it?
The Ponemon Institute has found that only 43% of businesses
utilizing cloud services actually “audit or assess cloud computing
resources before deployment.”i That is a big problem, according
Relevance
to the Cloud Security Alliance: they say that the failure of
organizations to conduct due diligence on their cloud vendors
is one of the top cloud computing threats, in part because
customers tend to underestimate the danger of performing
insufficient due diligence (see Figure 1). ii
And the issue is only becoming more and more prevalent, given the growth of
cloud computing in the modern marketplace: over half of American companies
are using cloud computing systems,iii with expenditures on cloud services likely
surpassing $180 billion by 2015iv.
Rank
It’s time to take due diligence and give it its due; it’s no longer enough to
simply ask for a list of compliance certifications. The need for sophisticated due
diligence has grown exponentially just within the past couple of years.
But how do you determine which cloud providers can deliver on their
promises, and which cloud offerings are just smoke and mirrors? This paper
will help you understand, clearly and concisely, what due diligence should mean
to you in the modern cloud environment. We’ll walk through the kinds of
information you need to unearth – including the subtle, non-obvious questions
– to be sure your prospective cloud provider isn’t merely compliant but truly
secure and reliable.
Figure 1.
Source: Cloud Security Alliance
www.tierpoint.com
1
With All Due Dilgence
Insider Tip:
“My number one piece of advice
would be to make sure that their
cloud hardware and infrastructure
is based on a standardized set of
equipment.”
- Denoid Tucker,
Chief Technology Officer,
TierPoint
WHITE PAPER
The Four Cornerstones of Your Due Diligence
Cornerstone #1: Verify Infrastructure
Make sure that the provider’s cloud hardware and
infrastructure is based on a standardized set of
equipment.
The equipment for all of their cloud infrastructure – including multiple data
centers, multiple physical servers and multiple storage area networks – should
be both standardized and enterprise-class.
Why? The cloud – your cloud – lives on that infrastructure. Good cloud
providers will put their infrastructure through as much due diligence as the
cloud itself (we’ll cover this point more in Cornerstone 3).
This issue is foundational – that is, it’s literally the foundation upon which your
cloud will rest. Make sure it’s robust enough to shoulder the weight.
There are four key elements to infrastructure: facilities, hardware, core
connectivity and delivery. TierPoint’s Vice President of Technical Services,
Brian Bean explains,
“Infrastructure is a broad and often misunderstood
term. It means hardware first and foremost, but it’s
also talking about how that hardware is architected,
assembled and used. It immediately implies questions
most customers don’t even think about: Will every piece
of equipment work with other pieces of equipment in
the environment?”
That can become a major issue during failover [disaster recovery] protocols.
Is the cloud provider locked into particular vendors? Too much reliance on a
single vendor can impact performance and present budgetary concerns.
www.tierpoint.com
2
With All Due Dilgence
WHITE PAPER
For example, a patchwork quilt of technologies and components raises
costs by requiring multiple sets of adapters, cables and switches. Ideally,
hardware resources should be uniform (for ease and cost effectiveness),
physically distributed (for security and business continuity planning) and
centrally managed (for responsiveness). Security should be architected into
the infrastructural planning rather than tacked on, or worse, using security
protocols designed for an environment different than the one used for
your data.
From the micro to the macro, infrastructure also encompasses the
environment’s total physical and logical security. In other words, have the
cloud provider’s data centers as a whole been secured against both physical
and virtual intrusion using best-in-class protocols, design and physical
equipment/layout?
Indeed, the implications of how well (or poorly) infrastructural components
are chosen and implemented ripple outward into every other aspect of the
cloud provider’s operations, including performance and risk. According to the
International Working Group on Cloud Computing Resiliency (IWGCR), the
average downtime for a cloud provider is 7.5 hours per year. Infrastructure is a
major component of whether your provider will beat the average or not.
Similarly, security risks can be traced back to infrastructure. Questions ranging
from “who can access my data?” to “what happens if servers fail – will we lose
data?” depend on the quality and consistency of the provider’s infrastructure.
Thankfully, the industry has established some pretty clear metrics here, and
many guides will indicate specific elements of infrastructure you should
investigate (we’ll point you toward a couple later in this paper). Plus, you have
another avenue for verifying infrastructural integrity: certifications.
We’ll cover those next.
www.tierpoint.com
3
With All Due Dilgence
WHITE PAPER
Cornerstone #2: Verify Certifications
Insider Tip
“I would advise looking at the layers
of certification that the company has,
and figure out why they have those
particular certification layers.”
- Paul Mazzucco,
Chief Security Officer,
TierPoint
Nearly three-quarters (72%) of companies told researchers at the Ponemon
Institute that they are unsure, disagree or strongly disagree that their cloud
providers are “in full compliance with privacy and data protection regulations
and laws.”vi
That’s shocking because certifications are just about the simplest thing to verify.
In fact, savvy business IT leaders, especially larger enterprises, don’t necessarily
see certifications as all that interesting. Their response to seeing those
certs? “Of course you have that; you have to have that layer of certification.
Otherwise, I wouldn’t even be talking to you.”
They recognize that certifications establish that a provider meets minimum
thresholds established by law. But as we all know, the law sometimes struggles
to keep up with cutting-edge trends in technology.
So the certification is the beginning of the conversation, not its end.
In other words, there’s more to this step than meets the eye, much more than
just crossing line-items off a checklist. A cloud provider’s certifications can give
you a lot of valuable secondary information, allowing you to triangulate the
cloud provider’s capacity to meet your needs.
First, certs highlight industries served.
While the “alphabet soup” of compliance regulations (HIPAA, PCI, SOX, GLB,
SOC, ISO, FedRAMP…) is quite diverse, certification generally means that
an independent accrediting organization has done its own form of (narrowly
focused) due diligence on the cloud provider. Compliance indicates at least
minimally satisfactory performance metrics and security safeguards that are in
line with industry standards and applicable laws.
For instance: if the cloud provider is PCI DSS compliant, you know it adheres
to the proprietary information security standard for organizations that handle
branded credit cards. If it is HIPAA compliant, you know it adheres to the
policies, procedures and guidelines for maintaining the privacy and security of
individually identifiable health information.
Other specific certifications will vary according to customer needs and
circumstances. But in all cases your goal during due diligence is two-fold:
first, to understand whether the cloud service provider adheres to industry
standards for security; and second, to understand their data center operational
efficiencies. For example, SSAE 16 certification assesses the internal controls
of a service organization; SSAE 16 Type 1 substantiates the suitability of the
controls, while Type 2 attests to their operational effectiveness.
www.tierpoint.com
4
With All Due Dilgence
WHITE PAPER
Secondly, certs tell you what kinds of clients have already
done due diligence on the provider.
For instance, if a cloud provider has obtained PCI accreditation, obviously that
means they have clients working in the financial sector. In that case, according
to TierPoint’s CSO Paul Mazzucco:
“It’s important to check the number of financial services
clients the cloud provider is supporting. Is it three clients
or 20? PCI accreditation tells you they meet the letter of
the law, while the depth of their financial services client
base tells you how many other major players performed
the same due diligence and are comfortable enough with
their discovery to have chosen that cloud provider.”
In other words, you’re not the first company to do due diligence on them.
Third, they offer you a starting point to ask how the
provider stays truly secure, not just compliant.
Finally, a smart client will use the certs as a starting point for the security
conversation. “Okay, so you’re certified. Now show me all the other things that
are going to make me sleep well at night. Prove to me that you test all these
processes and procedures.”
Using the financial services industry example, look beyond PCI accreditation.
Ask the cloud provider about their knowledge of data retention and
encryption. Examine their processes and procedures. Demand proof that
security protocols are in place and that they were implemented correctly and
tested against industry best practices.
In other words, ask what due diligence the provider has done on itself.
www.tierpoint.com
5
With All Due Dilgence
WHITE PAPER
Cornerstone #3: Verify the Provider’s Own
Due Diligence
Insider Tip
“I would want to see and understand
the third-party due diligence the
provider has obtained.”
- Denoid Tucker,
CTO, TierPoint
Unplanned downtime can cause serious financial consequences for any business.
A December 2013 Ponemon Institute study quantified the cost of an unplanned
data center outage at $7,900/minute, up 41% from 2010.vii
Your cloud provider should be doing its own due diligence to ensure its
equipment, networks and protocols actually work through a broad spectrum of
scenarios both ordinary and catastrophic.
According to TierPoint CTO Denoid Tucker:
“Our xCloud infrastructure goes through as much due diligence as the
cloud itself. People early on weren’t asking, ‘What happens if a major
weather event in Hawthorne, NYcauses a disruption? Where does my
data go because you’re my cloud provider?’ But today they are asking
those questions, and we have to show them new layers of due diligence to
prove that we have an Incident Response Plan (IRP) in place along with the
processes and procedures to implement it. In other words, we know what
to do if something happens in any one of our data centers; we can show
where the client fits into the plan; and, perhaps most importantly, we can
provide evidence that our procedures have been tested and proven
to work.”
Does the cloud provider know how to fail successfully?
Any given risk to the provider’s infrastructure might be low, but it’s never zero,
and any provider that offers enterprise-class services must make arrangements
for resources beyond just a single data center. For instance, in the case of
extreme weather, such as Hurricane Sandy, it’s critical that your cloud provider
has redundancy and capacity built in.You do not want to do business with a
provider that does not plan for growth while maintaining their stated levels of
high-availability.
Due diligence is about eliminating as much risk as possible; ensure that a
provider’s growth will not create a high-risk situation for your critical business
workloads. One of the best ways to do this is to make sure your workloads
are distributed across multiple, highly resilient facilities. That requires the cloud
provider to have developed its own contingency plan to deal with unforeseen
disasters or performance issues; so ask them to map out those DR and BC
plans for you.
www.tierpoint.com
6
With All Due Dilgence
WHITE PAPER
Consider public cloud giant Amazon: when they suffered a major outage at their
Northern Virginia data center in 2012, it hit customers hard; but those that had
adopted a cloud model involving multiple data centers across availability zones
(AZ) suffered little or no ill effects.viii, ix
One major caveat: most of those Amazon customers had to specially set up
service in multiple data centers. Those who did not lost their service until
the Northern Virginia location was restored. Which is why even Amazon’s
own CTO Werner Vogels preaches that IaaS cloud users should prepare for
failure: opting not to pay for redundancy, for example, may be “penny wise” for
ordinary usage but can prove to be “pound foolish” during catastrophic outages.
Is your cloud provider’s people smart?
Another area of internal due diligence that often gets overlooked by customers:
staffing. Not only are you investing in a provider’s technology, you are depending
on the quality of their people too. Do you trust them with your job?
Background checks may be overkill, unless the cloud provider will be working
with government agencies; however, it is advisable to ask about, for example,
internal protocols for managing employee access to customer data, or what
technical certifications are required by the cloud provider for the engineers
building and maintaining your cloud.
Altogether, if the cloud provider hasn’t done due diligence on itself, it cannot
verify it can meet your needs even in extreme circumstances … and that means
it can’t guarantee the safety of your data.
www.tierpoint.com
7
With All Due Dilgence
WHITE PAPER
Cornerstone #4: Verify Data Protection
Insider Tip
“Look for the ability to secure your
business against data breaches by
being able to monitor the data flow
and know when there’s any sort of
intrusion into your network.”
- Paul Mazzucco,
Chief Security Officer,
TierPoint
Data loss is a serious threat for cloud customers. We would argue that all of
the other due diligence verifications we’ve discussed (infrastructure, certs, etc.)
lead to this one, because ultimately it’s about keeping your systems, your apps
and, above all else, your data safe.
And that’s not a trivial task. One 2014 survey found that a staggering 43% of
companies had a data breach in the past yearx and 45% of businesses have had
data lost within the past 12 months, 11% of whom were required to disclose
the loss publicly. xi
With some 800 million records lost in 2013 alone, data breaches, theft and loss
are serious business. Not to mention expensive: the Ponemon’s Institute’s “2014
Cost of Data Breach Study: United States” found it costs businesses $201
per record lost, a $9 increase from the previous year. xii (It should be noted
the Ponemon study also found that data loss is actually less costly “when the
organization’s use of IaaS or cloud infrastructure increases.”)
Once upon a time, protecting the perimeter was enough.
Today that’s a fairy tale. Securing against data breaches and data loss means
something very different than it did even just a couple of years ago, and
focusing security efforts on the perimeter is insufficient. Just ask Target,
JPMorgan Chase, eBay or Home Depot. In fact, since the Target breach, there
has been a major data breach discovered almost every month. xiii
Tom Kellermann, the chief cybersecurity officer at IT security firm Trend Micro,
told the Washington Post in the aftermath of the Home Depot mega-hack (in
which some 56 million credit card numbers were compromised), “Current
standards of security for these large organizations are very perimeter-focused
and don’t deal with the level of attacks that are going on in the market.” xiv
Today, protecting against breaches means continuously monitoring the entire
network and its activity for any and all anomalies. Ask your cloud provider
how they adapt internal security controls and processes to identify and meet
the security impact of technological changes. Then, in turn, are those changes
documented and proven via the cloud provider’s own due diligence?
www.tierpoint.com
8
With All Due Dilgence
WHITE PAPER
The risks are evolving faster than the speed of business.
This is all because threats have evolved significantly. As TechCrunch reports,
“As organizations have bolstered their security, hackers also evolved.
Attacks today are more sophisticated and targeted than ever before.
Rather than sending generic malware, hackers today carefully plot each and
every attack, using unique, “zero-day” exploits that render signature-based
protections nearly useless.”xv
These new threats require a new kind of proactive, adaptive monitoring that
are difficult to implement. In fact, this may be part of the reason why you’re
even considering a cloud provider in the first place; since cloud security is part
of their core service, they make major investments in it - a level of investment
that companies whose core business lies elsewhere might not be able or willing
to make - including beyond adequate levels of encryption and key management,
hardware and smoke control to protect against denial of service, stringent
background checks and employee training to protect against malicious insiders, etc.
www.tierpoint.com
9
With All Due Dilgence
WHITE PAPER
Conclusion and Recommendations
Due diligence is no longer simply a checklist.Your cloud provider is one of
the most strategic business partners that you can have, and you cannot go
into such a key business relationship without verifying that they can deliver
on the promise of ever-evolving cloud services. Just as security has moved
from relatively straight-forward malware signature detection to adaptively
and proactively seeking out anomalous behavior, due diligence is a painstaking
process of searching out the anomalies and gaps in your current or prospective
cloud provider’s offerings. In fact, due diligence may just be the single most
important step you can take to effectively mitigate the risk of hosting your
company’s data, applications and operating environments in the cloud. To ensure
you perform due diligence equal to modern requirements, we recommend the
following actions:
1. Visit the provider’s data center facilities. If they don’t permit
customer visits, that should be an immediate red flag. Business customers
should be able to see the facilities, equipment and people that will be
hosting and protecting their valuable data.
2. Request and follow up with references. Ask to see the certifications
alongside a client list that demonstrates diversity in the client base. Ask
why those clients chose that provider over what other competitors were
offering.
3. View compliance certificates; in the case of SSAE 16, also view
the Statements of Applicability. Not only can these documents
provide evidence of the certs, they can also shed light on specific security
controls and operational controls.
4. Require evidence. Don’t be afraid to ask for evidence of security or
performance claims; take nothing at face value. A professional cloud
provider will be happy to demonstrate what they’re doing to be really
secure, not just compliant. Further, continue to ask for evidence on demand
as needed: access logs, data flow of firewalls, etc.
5. Take advantage of professional resources to help guide your due
diligence. In particular, the Cloud Security Alliance has put together a
comprehensive and detailed guide that we recommend. For instance the
CSA’s Cloud Controls Matrix contains 269 standards covering every aspect
of cloud security implementation, operation and maintenance.
6. Test it yourself. Order your own independent penetration tests.You may
have to pay for it, but it’s a worthwhile investment: choosing a provider
wisely will return dividends over the years.
www.tierpoint.com
10
With All Due Dilgence
WHITE PAPER
References
i.
(2013, Mar). Security of Cloud Computing Users Survey. The Ponemon Institute. Retrieved
November 17, 2014, from http://www.ca.com/kr/~/media/Files/IndustryAnalystReports/2012security-of-cloud-computer-users-final1.pdf
ii.
(2013, Feb). The Notorious Nine: Cloud Computing Top Threats in 2013. The Cloud Security
Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/
initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf
iii.
Young, M. (2013, Aug). 5 Benefits of BYOD with Cloud Computing. CloudTweaks. Retrieved
October 1, 2014, from http://cloudtweaks.com/2013/08/article-title-5-benefits-of-byod-withcloud-computing/
iv.
McCue, T. (2014, Jan 29). Cloud computing: United States businesses will spend $13 billion on
it. Forbes. Retrieved October 5, 2014, from http://www.forbes.com/sites/tjmccue/2014/01/29/
cloud-computing-united-states-businesses-will-spend-13-billion-on-it/
v.
(2013, Feb). The Notorious Nine: Cloud Computing Top Threats in 2013. The Cloud Security
Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/
initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf
vi.
(2014, Sep). Data Breach: The Cloud Multiplier Effect in European Countries. Ponemon
Institute. Retrieved October 5, 2014, from http://www.netskope.com/wp-content/
uploads/2014/09/Netskope-EU-consolidated-Research-Report-FINAL.pdf
vii.
Ponemon Institute. (2013, December). The Lowdown on Data Center Downtime: Frequency,
Root Causes and Costs. Emerson Network Power. Retrieved August 22, 2014, from
http://www.emersonnetworkpower.com/en-US/Solutions/ByApplication/
DataCenterNetworking/Data-Center-Insights/Pages/Causes_of_Downtime_Study.aspx
viii.
Adler, Brian. (2013, January 4). AWS Outage Lessons Learned: If Netflix Can Suffer, So Can
You. Right Scale. Retrieved August 14, 2014, from http://www.rightscale.com/blog/cloudmanagement-best-practices/aws-outage-lessons-learned-if-netflix-can-suffer-so-can-you
ix.
Pryor, D. (2013, Jun 4). Ten vital questions to ask your cloud provider. HighQ. Retrieved
October 1, 2014, from http://highq.com/blog/ten-vital-questions-to-ask-your-cloud-provider
x.
Wise, E. (2014, Sep 24). 43% of companies had a data breach in the past year. USATODAY.
Retrieved November 3, 2014, from http://www.usatoday.com/story/tech/2014/09/24/databreach-companies-60/16106197/
xi.
Finneran, M. (2013, Dec 4). How mobile security lags BYOD. Darkreading. Retrieved October
1, 2014, from http://www.darkreading.com/mobile-security/how-mobile-security-lags-byod/d/
d-id/1112902
xii.
Messmer, E. (2014, May 5). Data breaches 9% more costly in 2013 than year before. Network
World. Retrieved October 3, 2014, from http://www.networkworld.com/article/2176589/
malware-cybercrime/data-breaches-9--more-costly-in-2013-than-year-before.html
xiii. (2014, June 19). 5 Data Breach Statistics Worth Knowing. Paymetric Blog. Retrieved
November 3, 2014, from http://www.paymetric.com/uncategorized/5-data-breach-statisticsworth-knowing
www.tierpoint.com
xiv.
Halzack, S. and Peterson, A. (2014, Sep 9). Home Depot breach reveals how challenging it is to
ward off data theft. The Washington Post. Retrieved September 15, 2014, from
http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/09/home-depot-breachreveals-how-challenging-it-is-to-ward-off-data-theft/
xv.
Eshel, P; Moore, B; Shalev, S. (2014, Sep 6). Why Breach Detection Is Your New Must-Have,
Cyber Security Tool TechCrunch. Retrieved October 1, 2014, from http://techcrunch.
com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/
11
About TierPoint
TierPoint is a leading national provider of cloud, colocation, managed services
and disaster recovery solutions designed to help organizations improve business
performance and manage risk. With corporate headquarters in St. Louis, Mo.,
TierPoint operates 13 highly-redundant, Tier III plus data centers in the states of
Washington, Texas, Oklahoma, Pennsylvania, Maryland, New York, Massachusetts
and Connecticut.
To find out how TierPoint can help you with your cloud, colocation, managed
services and disaster recovery initiatives — call 877.859.TIER (8437), email
sales@tierpoint.com, or visit us at www.tierpoint.com.
TierPoint
520 Maryville Centre Dr.
St. Louis, MO 63141
www.tierpoint.com
© 2015 TierPoint, LLC. All Rights Reserved.
Related documents
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Security Position
Security Position
Download