TierPoint White Paper_With all due diligence_2015

www.tierpoint.com

WHITE PAPER

This paper serves as a guide to investigating and understanding a prospective cloud provider’s true security capabilities in a modern cloud environment.

With All Due Diligence

2www.tierpoint.com

WHITE PAPERWith All Due Dilgence

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

The Four Cornerstones of Your Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1: Verify Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2: Verify Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3: Verify the Provider’s Own Due Diligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4: Verify Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Conclusion and Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1www.tierpoint.com


Executive Summary

Do you hand over your company’s data to your cloud services provider without making sure they are fully capable of protecting it?

The Ponemon Institute has found that only 43% of businesses utilizing cloud services actually “audit or assess cloud computing resources before deployment.”i That is a big problem, according to the Cloud Security Alliance: they say that the failure of organizations to conduct due diligence on their cloud vendors is one of the top cloud computing threats, in part because customers tend to underestimate the danger of performing insufficient due diligence (see Figure 1). ii And the issue is only becoming more and more prevalent, given the growth of cloud computing in the modern marketplace: over half of American companies are using cloud computing systems,iii with expenditures on cloud services likely surpassing $180 billion by 2015iv.

It’s time to take due diligence and give it its due; it’s no longer enough to simply ask for a list of compliance certifications. The need for sophisticated due diligence has grown exponentially just within the past couple of years.

But how do you determine which cloud providers can deliver on their promises, and which cloud offerings are just smoke and mirrors? This paper will help you understand, clearly and concisely, what due diligence should mean to you in the modern cloud environment. We’ll walk through the kinds of information you need to unearth – including the subtle, non-obvious questions – to be sure your prospective cloud provider isn’t merely compliant but truly secure and reliable.

Risk

Relevance

Rank

Figure 1. Source: Cloud Security Alliance

Cloud Provider Due Diligence At A Glancev


2www.tierpoint.com

The Four Cornerstones of Your Due Diligence

Cornerstone #1: Verify Infrastructure Make sure that the provider’s cloud hardware and infrastructure is based on a standardized set of equipment.

The equipment for all of their cloud infrastructure – including multiple data centers, multiple physical servers and multiple storage area networks – should be both standardized and enterprise-class.

Why? The cloud – your cloud – lives on that infrastructure. Good cloud providers will put their infrastructure through as much due diligence as the cloud itself (we’ll cover this point more in Cornerstone 3).

This issue is foundational – that is, it’s literally the foundation upon which your cloud will rest. Make sure it’s robust enough to shoulder the weight.

There are four key elements to infrastructure: facilities, hardware, core connectivity and delivery. TierPoint’s Vice President of Technical Services, Brian Bean explains,

“Infrastructure is a broad and often misunderstood term. It means hardware first and foremost, but it’s also talking about how that hardware is architected, assembled and used. It immediately implies questions most customers don’t even think about: Will every piece of equipment work with other pieces of equipment in the environment?”

That can become a major issue during failover [disaster recovery] protocols. Is the cloud provider locked into particular vendors? Too much reliance on a single vendor can impact performance and present budgetary concerns.

Insider Tip:

“My number one piece of advice would be to make sure that their cloud hardware and infrastructure is based on a standardized set of equipment.”

- Denoid Tucker, Chief Technology Officer,

TierPoint


3www.tierpoint.com

For example, a patchwork quilt of technologies and components raises costs by requiring multiple sets of adapters, cables and switches. Ideally, hardware resources should be uniform (for ease and cost effectiveness), physically distributed (for security and business continuity planning) and centrally managed (for responsiveness). Security should be architected into the infrastructural planning rather than tacked on, or worse, using security protocols designed for an environment different than the one used for your data.

From the micro to the macro, infrastructure also encompasses the environment’s total physical and logical security. In other words, have the cloud provider’s data centers as a whole been secured against both physical and virtual intrusion using best-in-class protocols, design and physical equipment/layout?

Indeed, the implications of how well (or poorly) infrastructural components are chosen and implemented ripple outward into every other aspect of the cloud provider’s operations, including performance and risk. According to the International Working Group on Cloud Computing Resiliency (IWGCR), the average downtime for a cloud provider is 7.5 hours per year. Infrastructure is a major component of whether your provider will beat the average or not.

Similarly, security risks can be traced back to infrastructure. Questions ranging from “who can access my data?” to “what happens if servers fail – will we lose data?” depend on the quality and consistency of the provider’s infrastructure.

Thankfully, the industry has established some pretty clear metrics here, and many guides will indicate specific elements of infrastructure you should investigate (we’ll point you toward a couple later in this paper). Plus, you have another avenue for verifying infrastructural integrity: certifications.

We’ll cover those next.


4www.tierpoint.com

Cornerstone #2: Verify CertificationsNearly three-quarters (72%) of companies told researchers at the Ponemon Institute that they are unsure, disagree or strongly disagree that their cloud providers are “in full compliance with privacy and data protection regulations and laws.”vi That’s shocking because certifications are just about the simplest thing to verify. In fact, savvy business IT leaders, especially larger enterprises, don’t necessarily see certifications as all that interesting. Their response to seeing those certs? “Of course you have that; you have to have that layer of certification. Otherwise, I wouldn’t even be talking to you.” They recognize that certifications establish that a provider meets minimum thresholds established by law. But as we all know, the law sometimes struggles to keep up with cutting-edge trends in technology. So the certification is the beginning of the conversation, not its end. In other words, there’s more to this step than meets the eye, much more than just crossing line-items off a checklist. A cloud provider’s certifications can give you a lot of valuable secondary information, allowing you to triangulate the cloud provider’s capacity to meet your needs.

First, certs highlight industries served.While the “alphabet soup” of compliance regulations (HIPAA, PCI, SOX, GLB, SOC, ISO, FedRAMP…) is quite diverse, certification generally means that an independent accrediting organization has done its own form of (narrowly focused) due diligence on the cloud provider. Compliance indicates at least minimally satisfactory performance metrics and security safeguards that are in line with industry standards and applicable laws.

For instance: if the cloud provider is PCI DSS compliant, you know it adheres to the proprietary information security standard for organizations that handle branded credit cards. If it is HIPAA compliant, you know it adheres to the policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information.

Other specific certifications will vary according to customer needs and circumstances. But in all cases your goal during due diligence is two-fold: first, to understand whether the cloud service provider adheres to industry standards for security; and second, to understand their data center operational efficiencies. For example, SSAE 16 certification assesses the internal controls of a service organization; SSAE 16 Type 1 substantiates the suitability of the controls, while Type 2 attests to their operational effectiveness.

Insider Tip

“I would advise looking at the layers of certification that the company has, and figure out why they have those particular certification layers.”

- Paul Mazzucco, Chief Security Officer,

TierPoint


5www.tierpoint.com

Secondly, certs tell you what kinds of clients have already done due diligence on the provider.For instance, if a cloud provider has obtained PCI accreditation, obviously that means they have clients working in the financial sector. In that case, according to TierPoint’s CSO Paul Mazzucco:

“It’s important to check the number of financial services clients the cloud provider is supporting. Is it three clients or 20? PCI accreditation tells you they meet the letter of the law, while the depth of their financial services client base tells you how many other major players performed the same due diligence and are comfortable enough with their discovery to have chosen that cloud provider.” In other words, you’re not the first company to do due diligence on them.

Third, they offer you a starting point to ask how the provider stays truly secure, not just compliant.Finally, a smart client will use the certs as a starting point for the security conversation. “Okay, so you’re certified. Now show me all the other things that are going to make me sleep well at night. Prove to me that you test all these processes and procedures.”

Using the financial services industry example, look beyond PCI accreditation. Ask the cloud provider about their knowledge of data retention and encryption. Examine their processes and procedures. Demand proof that security protocols are in place and that they were implemented correctly and tested against industry best practices.

In other words, ask what due diligence the provider has done on itself.


6www.tierpoint.com

Cornerstone #3: Verify the Provider’s Own Due DiligenceUnplanned downtime can cause serious financial consequences for any business. A December 2013 Ponemon Institute study quantified the cost of an unplanned data center outage at $7,900/minute, up 41% from 2010.vii

Your cloud provider should be doing its own due diligence to ensure its equipment, networks and protocols actually work through a broad spectrum of scenarios both ordinary and catastrophic.

According to TierPoint CTO Denoid Tucker:

“Our xCloud infrastructure goes through as much due diligence as the cloud itself. People early on weren’t asking, ‘What happens if a major weather event in Hawthorne, NYcauses a disruption? Where does my data go because you’re my cloud provider?’ But today they are asking those questions, and we have to show them new layers of due diligence to prove that we have an Incident Response Plan (IRP) in place along with the processes and procedures to implement it. In other words, we know what to do if something happens in any one of our data centers; we can show where the client fits into the plan; and, perhaps most importantly, we can provide evidence that our procedures have been tested and proven to work.”

Does the cloud provider know how to fail successfully?Any given risk to the provider’s infrastructure might be low, but it’s never zero, and any provider that offers enterprise-class services must make arrangements for resources beyond just a single data center. For instance, in the case of extreme weather, such as Hurricane Sandy, it’s critical that your cloud provider has redundancy and capacity built in. You do not want to do business with a provider that does not plan for growth while maintaining their stated levels of high-availability.

Due diligence is about eliminating as much risk as possible; ensure that a provider’s growth will not create a high-risk situation for your critical business workloads. One of the best ways to do this is to make sure your workloads are distributed across multiple, highly resilient facilities. That requires the cloud provider to have developed its own contingency plan to deal with unforeseen disasters or performance issues; so ask them to map out those DR and BC plans for you.

Insider Tip

“I would want to see and understand the third-party due diligence the provider has obtained.”

- Denoid Tucker,CTO, TierPoint


7www.tierpoint.com

Consider public cloud giant Amazon: when they suffered a major outage at their Northern Virginia data center in 2012, it hit customers hard; but those that had adopted a cloud model involving multiple data centers across availability zones (AZ) suffered little or no ill effects.viii, ix One major caveat: most of those Amazon customers had to specially set up service in multiple data centers. Those who did not lost their service until the Northern Virginia location was restored. Which is why even Amazon’s own CTO Werner Vogels preaches that IaaS cloud users should prepare for failure: opting not to pay for redundancy, for example, may be “penny wise” for ordinary usage but can prove to be “pound foolish” during catastrophic outages.

Is your cloud provider’s people smart?Another area of internal due diligence that often gets overlooked by customers: staffing. Not only are you investing in a provider’s technology, you are depending on the quality of their people too. Do you trust them with your job?

Background checks may be overkill, unless the cloud provider will be working with government agencies; however, it is advisable to ask about, for example, internal protocols for managing employee access to customer data, or what technical certifications are required by the cloud provider for the engineers building and maintaining your cloud.

Altogether, if the cloud provider hasn’t done due diligence on itself, it cannot verify it can meet your needs even in extreme circumstances … and that means it can’t guarantee the safety of your data.

8www.tierpoint.com


Cornerstone #4: Verify Data ProtectionData loss is a serious threat for cloud customers. We would argue that all of the other due diligence verifications we’ve discussed (infrastructure, certs, etc.) lead to this one, because ultimately it’s about keeping your systems, your apps and, above all else, your data safe. And that’s not a trivial task. One 2014 survey found that a staggering 43% of companies had a data breach in the past yearx and 45% of businesses have had data lost within the past 12 months, 11% of whom were required to disclose the loss publicly. xi

With some 800 million records lost in 2013 alone, data breaches, theft and loss are serious business. Not to mention expensive: the Ponemon’s Institute’s “2014 Cost of Data Breach Study: United States” found it costs businesses $201 per record lost, a $9 increase from the previous year. xii (It should be noted the Ponemon study also found that data loss is actually less costly “when the organization’s use of IaaS or cloud infrastructure increases.”)

Once upon a time, protecting the perimeter was enough.Today that’s a fairy tale. Securing against data breaches and data loss means something very different than it did even just a couple of years ago, and focusing security efforts on the perimeter is insufficient. Just ask Target, JPMorgan Chase, eBay or Home Depot. In fact, since the Target breach, there has been a major data breach discovered almost every month. xiii

Tom Kellermann, the chief cybersecurity officer at IT security firm Trend Micro, told the Washington Post in the aftermath of the Home Depot mega-hack (in which some 56 million credit card numbers were compromised), “Current standards of security for these large organizations are very perimeter-focused and don’t deal with the level of attacks that are going on in the market.” xiv

Today, protecting against breaches means continuously monitoring the entire network and its activity for any and all anomalies. Ask your cloud provider how they adapt internal security controls and processes to identify and meet the security impact of technological changes. Then, in turn, are those changes documented and proven via the cloud provider’s own due diligence?

Insider Tip

“Look for the ability to secure your business against data breaches by being able to monitor the data flow and know when there’s any sort of intrusion into your network.”

- Paul Mazzucco, Chief Security Officer,

TierPoint

9www.tierpoint.com


The risks are evolving faster than the speed of business.This is all because threats have evolved significantly. As TechCrunch reports,

“As organizations have bolstered their security, hackers also evolved. Attacks today are more sophisticated and targeted than ever before. Rather than sending generic malware, hackers today carefully plot each and every attack, using unique, “zero-day” exploits that render signature-based protections nearly useless.”xv

These new threats require a new kind of proactive, adaptive monitoring that are difficult to implement. In fact, this may be part of the reason why you’re even considering a cloud provider in the first place; since cloud security is part of their core service, they make major investments in it - a level of investment that companies whose core business lies elsewhere might not be able or willing to make - including beyond adequate levels of encryption and key management, hardware and smoke control to protect against denial of service, stringent background checks and employee training to protect against malicious insiders, etc.

10www.tierpoint.com


Conclusion and RecommendationsDue diligence is no longer simply a checklist. Your cloud provider is one of the most strategic business partners that you can have, and you cannot go into such a key business relationship without verifying that they can deliver on the promise of ever-evolving cloud services. Just as security has moved from relatively straight-forward malware signature detection to adaptively and proactively seeking out anomalous behavior, due diligence is a painstaking process of searching out the anomalies and gaps in your current or prospective cloud provider’s offerings. In fact, due diligence may just be the single most important step you can take to effectively mitigate the risk of hosting your company’s data, applications and operating environments in the cloud. To ensure you perform due diligence equal to modern requirements, we recommend the following actions:

1. Visit the provider’s data center facilities. If they don’t permit customer visits, that should be an immediate red flag. Business customers should be able to see the facilities, equipment and people that will be hosting and protecting their valuable data.

2. Request and follow up with references. Ask to see the certifications alongside a client list that demonstrates diversity in the client base. Ask why those clients chose that provider over what other competitors were offering.

3. View compliance certificates; in the case of SSAE 16, also view the Statements of Applicability. Not only can these documents provide evidence of the certs, they can also shed light on specific security controls and operational controls.

4. Require evidence. Don’t be afraid to ask for evidence of security or performance claims; take nothing at face value. A professional cloud provider will be happy to demonstrate what they’re doing to be really secure, not just compliant. Further, continue to ask for evidence on demand as needed: access logs, data flow of firewalls, etc.

5. Take advantage of professional resources to help guide your due diligence. In particular, the Cloud Security Alliance has put together a comprehensive and detailed guide that we recommend. For instance the CSA’s Cloud Controls Matrix contains 269 standards covering every aspect of cloud security implementation, operation and maintenance.

6. Test it yourself. Order your own independent penetration tests. You may have to pay for it, but it’s a worthwhile investment: choosing a provider wisely will return dividends over the years.


11www.tierpoint.com

Referencesi. (2013, Mar). Security of Cloud Computing Users Survey. The Ponemon Institute. Retrieved

November 17, 2014, from http://www.ca.com/kr/~/media/Files/IndustryAnalystReports/2012-security-of-cloud-computer-users-final1.pdf

ii. (2013, Feb). The Notorious Nine: Cloud Computing Top Threats in 2013. The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf

iii. Young, M. (2013, Aug). 5 Benefits of BYOD with Cloud Computing. CloudTweaks. Retrieved October 1, 2014, from http://cloudtweaks.com/2013/08/article-title-5-benefits-of-byod-with-cloud-computing/

iv. McCue, T. (2014, Jan 29). Cloud computing: United States businesses will spend $13 billion on it. Forbes. Retrieved October 5, 2014, from http://www.forbes.com/sites/tjmccue/2014/01/29/cloud-computing-united-states-businesses-will-spend-13-billion-on-it/

v. (2013, Feb). The Notorious Nine: Cloud Computing Top Threats in 2013. The Cloud Security Alliance. Retrieved October 1, 2014, from https://downloads.cloudsecurityalliance.org/initiatives/top_threats/The_Notorious_Nine_Cloud_Computing_Top_ Threats_in_2013.pdf

vi. (2014, Sep). Data Breach: The Cloud Multiplier Effect in European Countries. Ponemon Institute. Retrieved October 5, 2014, from http://www.netskope.com/wp-content/uploads/2014/09/Netskope-EU-consolidated-Research-Report-FINAL.pdf

vii. Ponemon Institute. (2013, December). The Lowdown on Data Center Downtime: Frequency, Root Causes and Costs. Emerson Network Power. Retrieved August 22, 2014, from http://www.emersonnetworkpower.com/en-US/Solutions/ByApplication/DataCenterNetworking/Data-Center-Insights/Pages/Causes_of_Downtime_Study.aspx

viii. Adler, Brian. (2013, January 4). AWS Outage Lessons Learned: If Netflix Can Suffer, So Can You. Right Scale. Retrieved August 14, 2014, from http://www.rightscale.com/blog/cloud-management-best-practices/aws-outage-lessons-learned-if-netflix-can-suffer-so-can-you

ix. Pryor, D. (2013, Jun 4). Ten vital questions to ask your cloud provider. HighQ. Retrieved October 1, 2014, from http://highq.com/blog/ten-vital-questions-to-ask-your-cloud-provider

x. Wise, E. (2014, Sep 24). 43% of companies had a data breach in the past year. USATODAY. Retrieved November 3, 2014, from http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197/

xi. Finneran, M. (2013, Dec 4). How mobile security lags BYOD. Darkreading. Retrieved October 1, 2014, from http://www.darkreading.com/mobile-security/how-mobile-security-lags-byod/d/d-id/1112902

xii. Messmer, E. (2014, May 5). Data breaches 9% more costly in 2013 than year before. Network World. Retrieved October 3, 2014, from http://www.networkworld.com/article/2176589/malware-cybercrime/data-breaches-9--more-costly-in-2013-than-year-before.html

xiii. (2014, June 19). 5 Data Breach Statistics Worth Knowing. Paymetric Blog. Retrieved November 3, 2014, from http://www.paymetric.com/uncategorized/5-data-breach-statistics-worth-knowing

xiv. Halzack, S. and Peterson, A. (2014, Sep 9). Home Depot breach reveals how challenging it is to ward off data theft. The Washington Post. Retrieved September 15, 2014, from http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/09/home-depot-breach-reveals-how-challenging-it-is-to-ward-off-data-theft/

xv. Eshel, P; Moore, B; Shalev, S. (2014, Sep 6). Why Breach Detection Is Your New Must-Have, Cyber Security Tool TechCrunch. Retrieved October 1, 2014, from http://techcrunch.com/2014/09/06/why-breach-detection-ss-your-new-must-have-cyber-security-tool/

About TierPointTierPoint is a leading national provider of cloud, colocation, managed services and disaster recovery solutions designed to help organizations improve business performance and manage risk. With corporate headquarters in St. Louis, Mo., TierPoint operates 13 highly-redundant, Tier III plus data centers in the states of Washington, Texas, Oklahoma, Pennsylvania, Maryland, New York, Massachusetts and Connecticut.

To find out how TierPoint can help you with your cloud, colocation, managed services and disaster recovery initiatives — call 877.859.TIER (8437), email [email protected], or visit us at www.tierpoint.com.

TierPoint 520 Maryville Centre Dr. St. Louis, MO 63141www.tierpoint.com

© 2015 TierPoint, LLC. All Rights Reserved.