Select Cloud Service? The cloud provider should be tested for penetration first

With the growth of large amounts of data in the enterprise, companies are also beginning to put on the agenda for deploying cloud computing. However, because the enterprise does not have a clear understanding of the security of the cloud services provided by the cloud provider, it is necessary for the enterprise to make a vulnerability assessment and penetration test before selecting the cloud provider.

It is sometimes difficult to understand what is behind cloud applications or cloud services, but that is not entirely the case. The audit of cloud service providers usually needs to be clear: the need to review, understand, and evaluate, but often businesses do not choose to review cloud vendors based on the risks they face.

Before you audit a cloud service provider, make sure you have a good goal, figure out what you care about, what you want to protect, etc. If the cloud services store data is compromised, may affect the enterprise, then should be more active in the evaluation of suppliers, otherwise the consequences would be disastrous. Allocate your time, money and resources rationally, not spend too much time (over the necessary time) on evaluating third parties, spend some time on other tasks, such as providing better security to reduce enterprise risk. Make sure that all risk points are covered, such as data transfer, storage, assessment control, vendor employee access, logging, application security, physical security, and Third-party integration.

Don't do this: Don't start auditing with a huge list of listings and questionnaires. We've all faced this kind of questionnaire, and we all hate tables where no one wants to answer these complicated questions, and more importantly, no one wants to check if the answers are correct. These questions never accurately define the risks or services that are assessed, but instead waste time on both sides. Before starting the evaluation, make clear the control situation of the third party, what auditing enterprises need to face, what compliance standards the enterprise has met, etc. Clarifying your goals and focus will help guide the assessment process, especially in a cloud environment----infrastructure and applications are very different from the traditional enterprise environment and are evolving rapidly.

Vulnerability assessment and penetration testing are the best way to verify the security posture of your cloud service provider. From the author's experience, most cloud service providers welcome potential customers to assess their infrastructure vulnerabilities, as long as they are within agreed time limits, and their teams are willing to answer a variety of questions. Sometimes there are suppliers who are unwilling to cooperate, and this usually means that you should not choose this supplier.

These assessments are good for most cloud service providers because they have no other information to offer to customers to demonstrate that their services meet stringent corporate security standards because many vendors build their services on public cloud services, and enterprise security products do not match the cloud infrastructure perfectly. Have you tried IPs and full packet capture in a cloud environment? If you try, then you know that the IPs of the safety checklist is hard to achieve. Side hints: Be sure to perform due diligence in determining all ranges of systems and validate vendor-supplied results. Some vendors host their applications in a larger cloud vendor's infrastructure, so some validation is required. These validation processes are not the most comprehensive and will not necessarily solve your concerns. Verify the parts that are relevant to you because you need to take your own risks.

When working with a cloud provider, identify your problems, assess your risk, and, most importantly, realize that our traditional methods and procedures are not applicable in the cloud environment. From an enterprise perspective, it is difficult to assume security risks in the cloud environment, and we are trying to prove their security, but we do not have the resources we really need to meet the same standards that we set for the enterprise. Even so, cloud services may be safe, and some may be unsafe, and we have to review them to make a decision and choose a vendor that is safe for its own business.