As more enterprises embrace software-as-a-service (SaaS), a nagging question has begun to surface: Who’s on the hook for assessing and validating cloud security? The sometimes-complicated world of cloud computing makes that questions tricky to answer. A SaaS deployment involves the customer, the software provider and, possibly, another party that hosts the cloud software. Some projects may also involve a cloud services broker as an intermediary.
Cloud environments are designed to operate differently than legacy enterprise architectures (e.g., with respect to network architecture, provisioning, and scaling). It is important to find proven cloud security solutions to protect mission critical applications, confidential data, and the underlying infrastructure that supports those applications, including network, compute, database, and identity management. An overall solution should address:
- Network: Firewall, Intrusion Detection, and Vulnerability Scanning provide detection and protection, while also lending visibility into security health.
- Compute: Anti-Virus, Log Management and File Integrity Management protect against known attacks, provide compliance and security visibility into activity within an environment, and understand when files have been altered—maliciously or accidentally.
- Application: A Web Application Firewall will protect against the largest threat vector in the cloud: web application attacks. Encryption technologies are ubiquitous for data in-flight protection, and some companies select encryption for data-at-rest when necessary, assuming applications can support it.
- Application Stack: Security Information Event Management (SIEM) can address the big data security challenge by collecting and analyzing all data sets. When deployed with the right correlation and analytics, this can deliver real-time insight into events, incidents, and threats across a cloud environment.
The design and configuration of these types of services will be driven by requirements, including an organization’s security and compliance standards, application and data sensitivity, risk assessment, and the policies implemented by the service providers an organization selects. Symosis can help you assess and manage risk and determine liability and responsibility in cloud environment. Our methodology is based on industry standards like CSA STAR, ISO 27001, AWS Best Practices, FedRAMP and cover a wide variety of areas including
- Accountability and Data Ownership
- User Identity Management
- Regulatory Compliance
- Business Continuity and Resiliency
- User Privacy and Secondary Usage of Data
- Service and Data Integration
- Multi Tenancy and Physical Security
- Incidence Analysis and Forensic Support
- Infrastructure and Application Security
- Non Production Environment Exposure
- Malware/Botnet, Brute Force, Vulnerability Scan, Web App Attack, Recon, App Attack
We have experience assessing and managing risk in the variety of cloud environments including Amazon Web Services (AWS), Atos, Dimension, Rackspace, Citrix Systems, Google Cloud / Enterprise, SAP, Oracle Cloud IAAS, Salesdorce.com, IBM, Latisys Layered Tech Logicworks Microsoft Azure, Sungard Availability Services VISI, Windstream Communications