Cloud Computing best practice #3: Pay attention to security Posted on June 21, 2012 by Tim Burke This best practice might seem obvious, but it can never be over-emphasized. Here are the five must-dos of Cloud Computing security… Evaluate Cloud service providers’ security with these questions: What access control model do you use? Who chooses the authoritative sources of access control policy and user profile information — you, or us, or a third party? Do you support retrieval of access control policies and user profile information from external sources? If so, via what formats and transmission mechanisms? Where do our accounts reside? How are they provisioned and deprovisioned? How do you protect the integrity of my data? What authentication mechanisms do you support? (These should be appropriate for the sensitivity of the data use.) Do you support federated authentication or single sign-on model(s)? What support do you provide for delegated administration by policy administration services? What log information do you provide? Can it be imported into our operational analysis and reporting tools? Can we specify external entities with whom to share information? If so, how is that accomplished? When using cloud computing services, pay attention to user authentication Define and enforce strong password policies. Match authentication options to the risk level of the Cloud services being used — and authenticate all users with at least a username and password. Require enterprise administration capabilities for all supported authentication methods, especially the administration of privileged users. Use self-service password reset functions first to validate identities. Consider using federated authentication (you authenticate your users locally, then pass some type of token to the Cloud service granting access for that user). Perform a thorough evaluation of your own IT security so you understand your infrastructure and application vulnerabilities and are sure that all security controls are in place and operating properly. Develop a risk mitigation plan and document it so you can quickly deal with any issues that arise — and so you know how to train employees about risks and how to respond to them. Monitor Cloud service performance rigorously; this is how you and your Cloud provider will recognize any security threats early and deal with them quickly. Next time: Cloud Computing best practice #2.