The contracting stage comes after the enterprise decides on the right CSP. Lee suggested the following components to be included in the contract:
- requirements for controls to protect the company assets.
- disaster recovery requirements that meet the organisation's business needs.
- an explicit right to audit clause. For example, the clause might state that the enterprise has to right to exercise on-site audit to the CSP's data centre twice a year for a duration of up to five days.
- a dedicated point of contact for security from the CSP.
There is also a need to have a tightly defined service level agreement (SLA) which is tailored towards securing the company's data in the cloud, he said. For enteprises requiring third party assurance, they should request for a service organisation report by independent service auditors, such as the Statement on Standards for Attestation Engagements 16 (SSAE16), from the CSP to determine the latter's compliance level.
Next is the ongoing management stage, where enterprises have gone live with the service. At this stage, the liaison person from the CSP is expected to provide a quarterly or monthly security report to the client/enterprise. "The report should consist of multiple areas including antivirus, disaster recovery testing, IT security incidents and patching levels," said Lee. The CSP is also required to inform its clients of any changes so that the latter will be able to "manage the change and mitigate the impact of any unforeseen circumstances." As CSPs service more than one client, enterprises should review their CSP's multi-tenancy controls, such as network segmentation and access control mechanisms, to ensure that the other clients are unable to hop into their cloud environment.
The final stage of the cloud journey is termination. Before moving to this stage, Lee advised enterprises to have an exit plan. "The exit plan should encompass a secure handover of services and data, removal of access control and network access link, securely deleting the data, storage destruction or degauss."
Combating APT Attacks
In his presentation titled 'Combating the next generation of advanced malware: How to survive an APT attack,' Corey Nachreiner, Director of Security Strategy at WatchGuard Technologies, provided tips on protecting the enterprise from today's malware and cyber attacks.
Unlike cyber attacks in the past which simply aim to infect as many systems and enterprises as possible, today's attacks are based on advanced persistent threats (APTs). These attacks are stealthy, more persistent than traditional cyber attacks, target a specific entity, as well as utilise advanced attack techniques such as zero-day malware and advanced rootkits, said Nachreiner.
Corey Nachreiner, Director of Security Strategy, WatchGuard Technologies