Last week one of my customers called me into a meeting to discuss moving a critical application to the cloud. This application is very sensitive to the customer and the data it holds is very sensitive to my customers customer. The results of this meeting turned into a list of questions forwarded the customers executive staff and also a set of questions for the cloud vendor.
This Cloud vendor is providing a COTS solution storing personally identifiable information tax and other very sensitive information. Because of this a number of the questions focus on the protection of PII and the destruction of unneeded copies of data.
I have redacted customer and vendor information from this list of questions, these questions may serve as a baseline for your organization to come up with questions for your Cloud vendors. Point of note the answers to these questions will more likely than not cause follow-up questions.
Here is the list of questions for the customers executive staff to address.
===============================================================
As <REDACTED> moves towards cloud based computing solutions, <REDACTED> must consider the following to create standards for all cloud based systems going forward:
- Will <REDACTED> require TLS on day 1? If not, vendor must have a plan and a deadline to get off SSL and on to TLS?
- Will <REDACTED> require DISA STIG standards (Fed DOD standard) for all off site cloud data?
- Will <REDACTED> require PENetration testing and at what frequency (Federal standard is 1 year)?
- What level of data destruction is required for <REDACTED>’s secure/PII data being stored on a cloud based system controlled by non-<REDACTED> vendors?
- Will <REDACTED> hold AES256 as the minimum encryption standard for cloud based systems?
- Will <REDACTED> require 3DES minimum 168 bits?
- Will <REDACTED> require a minimum of 7 wipes for secure/PII data stored on cloud based systems?
- Will <REDACTED> require in sales contract with stated frequencies, independent audits to ensure <REDACTED>’s stated audit, encryption and data destruction plans are in effect and compliant?
- Will <REDACTED> require internal <REDACTED> audits and/or legislative audits be performed on <REDACTED> systems?
- The sales contract must state the “break up” plan for all <REDACTED> data including the delivery back to <REDACTED>, the destruction of the data on vendor systems and the certification that all data has been destroyed according to the <REDACTED> standards. Independent audit to verify results.
- Will <REDACTED> require all data stay within the United States, with no data ever leaving the US?
- What will <REDACTED> require regarding the vetting standard for cloud vendor trusted inside employees?
- What will <REDACTED> require regarding liability insurance in the event of a security incident?
Here is a list of questions for the cloud vendor.
===================================================================
As <REDACTED> data is highly sensitive and contains a great deal of PII for each firm, the following are questions to be answered:
1. Regarding the destruction of sensitive/PII data on <REDACTED> systems, how will you destroy unnecessary copies of data and ensure the necessary copies are encrypted and secure?
2. Is the use of AES256 and 3DES encryption consistent throughout <REDACTED> enterprise as referenced on page 10 of the Security Management Plan? How many bits are used for 3DES?
3. Initial Source Data/Document Load files (via sftp per <REDACTED> docs): Controls/Audit – <REDACTED> should know exactly who touched the load files and for what purpose via audit reports.
4. Additionally, after migration is complete, <REDACTED> to certify (via independent audit) that all source data has been destroyed and no ghost data remains on servers or work stations.
5. Cross boarder – will the data leave the United States for any reason at any time?
6. What analytics software packages are in use to monitor account activity for our <REDACTED> employees as well as <REDACTED> trusted inside employees? How will audit reports be delivered to <REDACTED>?
7. What does “in compliance with Cyber Security Standard” refer to as mentioned on page 6 of the <REDACTED> Security Management Plan? Is this a subset or superset of NIST?
8. On page 7 of the <REDACTED> Security Management Plan in reference to Export Servers under System Architecture, how is the use of these Export Servers audited and after the export is no longer required, how will you certify that the data has been destroyed? If used, can an unencrypted copy of the export be made?
9. Will all backups be encrypted with 3DES and at what bit level? How will <REDACTED> certify the destruction of old backups?
10. What is the plan for <REDACTED>’s system using TLS?
11. Does <REDACTED> harden sqlserver to DISA STIG standards? If not, is it a superset or a subset?
12. What is the end of contract plan for all <REDACTED> data including the delivery back to <REDACTED>, the destruction of the data on <REDACTED> systems and the certification that all data has been destroyed according to the <REDACTED> standards.
13. In the event of a security incident, does <REDACTED> have liability insurance to cover associated losses?
14. How are your trusted inside employees are vetted (DBA’s, System Admins, Network Admins, etc)?
15. If you perform PEN testing, what is the frequency of the testing and will <REDACTED> get a redacted copy of the results of each test?