Cloud Providers Should Submit To Vulnerability Testing, Say Security Experts


Cloud providers must be willing to submit to vulnerability testing and be flexible during contract negotiations or expect potential clients to turn elsewhere for services, according to a panel of security experts.

Speaking at a session Wednesday titled “Trust Us: How To Sleep Soundly With Your Data In The Cloud” at RSA Conference 2014, Bill Burns, the security expert who oversaw security strategy at Netflix, urged other security professionals to take a more proactive role in helping business units with cloud services decisions. Far too often, business teams fail to involve the security team, Burns said.

"Business teams aren't necessarily talking to each other," Burns said. "A lot of times the security team has a lot of information about a business flow or a transaction that they can educate the business on improving efficiency."

[Related: Security Experts: The Public Cloud Is A Safe Place For Storing Data]

As a matter of policy, organizations should involve security with the legal team to negotiate contracts with cloud providers, said Michael Hammer, who leads Web operations security at AG Interactive, American Greetings. IT security wants to help business teams make the right decisions that will address their specific needs and be within the company's security policies and overall security posture, Hammer said.

"Some of the managers are great; they want to get engaged with us early in the process and want to leverage our skill sets and insights," Hammer said. "Other managers who haven’t done their homework see security and legal as an obstacle. But if they engaged us early in process, we may have found an alternative to what they wanted to do not because that vendor had the best tchotchke on the sales floor."

Hammer and Burns were joined by Bruno Kurtic, a founding vice president of product and strategy at Redwood City, Calif.-based Sumo Logic, a log management and analytics service provider. Kurtic and other security experts who work at cloud providers are campaigning to get businesses to overcome their reservations when it comes to moving data to the cloud.  Enterprises can store data in the cloud without feeling like they're taking a risk or losing control and visibility, Kurtic said.

Kurtic called a thorough risk assessment with vulnerability scanning a good best practice for companies establishing business with a cloud provider for the first time. For most companies, security is a priority because it is part of establishing trust and a long-term relationship with customers, he said.

Kurtic said Sumo Logic is flexible during contract negotiations and will meet customer requirements "as long as they don't prevent us from doing business the way we do business." The company also opens up to penetration testing on request, he said.

"More companies use cloud than they know they use cloud," Kurtic said. "We have been tested and we have learned what works and doesn’t work. We now feel we have a solid set of guardrails in how we get tested, and we have not yet ever been rejected after we tested."

Organizations should know how their cloud provider responds and communicates incidents, review their security policies and who has access to systems and processes, the experts said. At American Greetings, business managers have a checklist during the process of selecting a cloud service provider and all contracts are negotiated with company's legal team in conjunction with the security team, Hammer said. Businesses shouldn't backtrack on security requirements during negotiations, Hammer said.

"If the terms and conditions of what they are saying aren’t negotiable and they don’t suit you, then walk away," Hammer said. "This is common sense."

PUBLISHED FEB. 28, 2014