Bringing Cloud Security Down To Earth: Beware of Third-Party Infrastructure Access Agreements
By: Ali Gomulu
Moving business applications, workflow and data to the cloud represents a major shift, requiring enterprises to change their security posture, as sharing information outside the organization creates a greater need for diligence and governance. Cloud vendor agreements must be carefully written, and security policies implemented as moving all or part of an organization’s IT infrastructure does absolve the organization from security responsibilities. Knowing what security requirements to include in cloud vendor contracts must include Privileged Access Management (PAM) policies to reduce risk and provide clarity.
Cloud adoption continues to rise; according to International Data Corporation (IDC)’s “Nine Ways to Maximize the Value of Cloud Contracts,” 52 percent of all companies are currently using cloud-based delivery models and an additional 27 percent have firm plans to implement cloud solutions within the next year.
When entering into cloud agreements, security must be a forethought, not an afterthought, and a big part of this is to contract in such a way that the cloud services provider understands the boundaries, including the protection of not only the cloud instances, but the connectivity to the organization’s infrastructure, especially when hybrid solutions are in place. If a cloud provider needs to access internally generated and stored data, they must be required to do so within the context of a solid PAM solution.
This same PAM solution, architected wisely, can also protect mission critical infrastructure internally (ensuring employee activity is monitored and managed), while also protecting the same infrastructure should vendors who are, for example, performing maintenance on servers, gateway or other physical infrastructure.
Cloud and infrastructure vendor contracts can be designed to mitigate risks to the confidentiality, integrity and availability of an organization’s data and applications, offering an additional layer of protection.
Third-Party Infrastructure Access Agreements: Negotiate to Protect What You Connect
As part of the digital transformation process, including moving more to the cloud, and/or outsourcing certain IT functions requiring third-parties to access systems, it is important for IT leaders to become proficient in negotiating and managing contracts, while also designing a system which can authenticate and authorize access by people and machines, by matching the right workflows and processes in the context of securing valuable assets.
When signing up for any agreement enabling a third-party to access corporate resources, here are five basics principles to keep in mind:
- Require the cloud or infrastructure vendor to provide regular reporting on security status, including security incident and intrusion detection/prevention system (IDS/IPS) log reports, with the right to audit and asses this as part of the agreement; to simplify this, organizations can use solutions like Ironsphere’s PAM platform which manage privileged credentials including passwords and profiles (which individuals can access which domains for example).
- Clarify service monitoring and requests alerts in real time should systems go down, as these can be indicators of a security breach; organizations will want to be able to monitor availability anyway and discuss any patterns of downtime should they occur.
- Include language in agreements that affirms the cloud provider or infrastructure vendor’s business continuity plan, with specific requirements in place associated with data backup and recovery responsibilities should there be a security issue or other system failure.
- Ensure agreements cover regulatory requirements, especially in the most regulated industries (financial services, healthcare, e-commerce, and others) in parallel with increasingly strict laws regarding private information protecting consumers, and map privileged access policies in such a way that only those who “need to know” can access data that is most vulnerable.
- Specify technical standards for encryption and transmission, access controls, and background and/or security check protocols for cloud providers and infrastructure vendors, including the use of the organization’s own choice of PAM software. Confirm exactly how the different user permission roles are put in place, and mandate accessibility parameters for each role and the administrator’s access rights, ensuring all access events can be recorded and tracked.
Ironsphere provides advanced technology software in the fields of Access Control Systems, Privileged Task Automation and Next-generation Security and Audit. With the world’s most cost-efficient, flexible and easily deployed Access Control software, our technology platform supports many global telecom service providers and large enterprises.
Our core offering is a Privileged Access Management (PAM) solution protecting mission critical systems and infrastructure, used as administrative access, information security and governance tool to prevent internal data breaches and malfeasance using privileged accounts, which enables the sound management of heterogenous environments – cloud, prem, hybrid and multi-cloud – making sure that only the people and systems who are authorized to access data and infrastructure can do so.
To learn more about how your organization can reduce risks associated with an increasingly interconnected world, please contact us at email@example.com.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.