Many organizations interested in cloud computing infrastructure have developed comprehensive risk assessment questionnaires as part of their due diligence processes to evaluate potential providers before entrusting their data to them. They seek to qualify third-party service providers to gain a sufficient level of confidence that their data, and all applications used to process their data, will be secured in accordance with reasonable standards and applicable regulatory requirements, such as HIPAA, GLBA, SOX and other data governance regulations.
While a “bill of rights for cloud,” privacy, and internal security technologies and practices has been much discussed, physical security is often overlooked or given short shrift. Few in the IT industry appear to have formalized criteria for on-site audits of cloud computing service providers, perhaps because many providers flat out refuse to allow on-site facility inspections. But as more customers insist upon a level of transparency, those seeking to move to cloud-based services and technologies should carefully consider the value of on-site inspections.
While not necessary for all forms of cloud deployment, making on-site inspections an IT protocol and repeatable practice offers another layer of risk mitigation. Most companies ask where their data and applications are processed and stored, but few pull back the curtains to see who or what is actually protecting the cloud provider’s processing and storage facilities. IT’s decision to opt for on-site inspection should be based largely upon:
- Type of data entrusted to the cloud provider.
- Criticality of the application(s).
- History and reputation of the provider.
Conditioning an on-site audit of a provider’s facilities based upon whether the dollar value of the transaction rises to a certain level is not recommended, as doing so will not adequately protect your company or its data.
Keep in mind that clouds are just servers and storage devices sitting in a room in one or more facilities. Of course, you’ll want to know where all such facilities are located, or at least those that will process or store your data, but you’ll also want answers to some very important questions about the people, processes and technological controls employed at the facilities.
A Physical Inspection Checklist
In the course of conducting a physical inspection of a cloud provider, take special note of the following:
- Threats to physical security and personal safety. Is the facility, as well as the personnel located at the facility, adequately protected against actual and potential environmental, structural, power and human-related threats? What physical controls are in place, and how (and how often) and by whom are they documented, reviewed and maintained? Are fire detection controls and automatic extinguishers properly positioned and regularly checked? Are all data center activities monitored and recorded by cameras and sign-in sheets?
- Condition and maintenance records of the facility. Is the facility a state-of-the-art structure designed and built to current data center construction standards and specifications, or is it a converted warehouse that’s seen better days? How are the facility and its associated physical systems being maintained? Does the provider dedicate adequate resources for the care and maintenance of the facility?
- Access controls. Is the facility a dedicated “lights-out” facility where there are no or few authorized personnel who may access interior portions of the facility? Or is the facility shared by other organizations? If so, are there appropriate controls to segregate access and the like? Are there adequate facility access controls in place, such as fences, badges and guards, at all points of entrance and exit? What policies and safeguards are enforced with respect to visitors?
- Cloud provider personnel. These are the very people who may access and/or control your data. How long have they been employed by the provider? What are their qualifications? How are they screened? Do they expressly agree to be bound by relevant company policies? What is the attrition rate at the provider? How many employees are assigned to specific functions? Are staffing levels appropriate or are resources thinly staffed, overtasked and overworked? Are there adequate backup and support personnel? How are employees treated? Are they generally happy? Are there appropriate measures in place designed to ensure their safety and welfare?
- Viability and stability of the cloud provider. An on-site visit can have the added benefit of providing you a window into the viability and stability of the cloud provider as a going concern. By touring the provider’s facilities, you should be able to glean whether it’s a well-organized, well-managed, compliance-focused operation, or if it appears to operate in a haphazard, ad hoc fashion with insufficient attention to details or in a constant state of troubleshooting or disarray. Does it appear to be investing in its business and planning for future growth, or will it require costly upgrades in the near future? What processes are followed (e.g., ticketing) to address and escalate problems, and ensure their proper and timely resolution? Does the provider have and enforce a clean desk policy? Does it engage an independent firm, such as a CPA firm, to conduct a SAS 70 review of its controls relating to its cloud operations and practices? How much pride does it take in its operations? Is it deserving of its reputation? How does it stack up against other cloud providers?
An on-site inspection of a potential cloud provider provides a valuable perspective of what’s going on inside the cloud. A provider may appear to be a great fit on paper based upon its responses to your risk assessment questionnaire, but a closer, on-site review may suggest otherwise. It’s prudent to “look before you leap” before entrusting mission-critical data or applications to third-party cloud providers. To do less could cause your organization to get lost in the clouds.
SOURCE: Behind the Curtains of the Cloud: Considerations for Physical Inspection