The United States Mint had a cloud computing solution for ecommerce they were interested in implementing, but they wanted to make sure they understood the security from the provider before they made anything final. U.S. Mint CISO Chris Carpenter told those at the 2012 SecTor security conference that he insisted on knowing about how the application they had in the cloud was being secured from top to bottom and was shocked to hear the provider say that no one has ever asked them those types of questions, according to TechTarget news director Robert Westervelt.
For the department and Carpenter, this wasn't an answer they were prepared to hear, as any responsible technology investment should include a prior discussion of security implications. According to Westervelt, Carpenter said he grilled the provider during the contract negotiation on how they conducted penetration testing, what their incident response protocol looked like and how employee credentials are reviewed.
"There was tap dancing and delays," Carpenter explained, describing the vendor's hesitant responses to detailed cloud security questions. "Be prepared for resistance and unpreparedness, because they aren't always prepared for these kinds of questions and requests … Cloud providers don't really give you specific logs for your stuff, but your data is there, so you've got to ask for it."
With that in mind, Carpenter told TechTarget that he asked the provider for access to the server and database log so the agency could make sure the third-party architecture was secure enough for their liking. The provider ended up writing it into the U.S. Mint cloud contract. Other businesses should take note of this, as getting exactly what they want may take a bit of persistence when it comes time to negotiate service level agreements.
Security must be negotiated into an agreement
There's something of an art to getting the best possible cloud security deal for a company, and that art is negotiation. Companies must take the time when they are first looking into a service level agreement to be sure they are getting everything they want from the deal. InformationWeek said negotiation isn't standard practice, but it most certainly should be for companies looking to have the best possible cloud platform.
"You need to spend time figuring out why you need to make the change so you can make a business case to the cloud provider that it's in everyone's best interest that the changes be made," legal expert David Snead told TechTarget.
Before starting negotiations, the website said companies have to keep realistic expectations for what will actually be there and realize the cloud cannot do everything that may be desired. In the days and weeks before contracting with a cloud service provider, corporate IT and legal teams need to do their due diligence in researching and making sure they know exactly what to expect from an agreement.
Jonathan Shaw, principal with consulting firm Pace Harmon, told InformationWeek that companies should be making sure that no matter what they have written into their contract that the provider they have chosen can actually fulfill its promises.
"In an SLA, specificity is very important," he explained to the website. "You don't want to leave it open to broad terms. It goes back to knowing what you want – as a customer, you know your business best and you shouldn't rely on a provider to figure out what you need."
Seek transparency above all else
Back at the SecTor conference, TechTarget said Carpenter told the crowd that they should be asking their providers for tools that make them more transparent, such as reports on compliance or security plans before signing anything. Aggressive testing should be done by organizations to make sure that these cloud providers have everything in place they said they have. One thing he said may be helpful is asking for any incidents that may have happened and how the provider handled it.
One thing he said won't hurt when putting all of these new specifications with a provider is some incentives for the provider, such as extra compensation in recognition of the value they're providing or a reduction of liability. There can also be an escape clause just in case the relationship between the cloud provider and the company develops some irreconcilable differences. With incentives and outs like this, the provider will be more likely to do the best possible job with cloud security for the company. Adding language like this into the service agreement can make the contract that much more valuable for both sides.
"You've got to understand the true impact, or lack of impact of SLAs," Carpenter said. "You have to have an incentive or hold a carrot out so they work hard for you."
Cloud Security News from SimplySecurity.com by Trend Micro.