Cloud Security Benchmarking
With Cloud services we partially handover responsibilities to our trusted Cloud Provider. We gain trust in our Cloud Provider by diligence. We ensure secure usage of the cloud by knowledge of our own responsibilities and rigorous validation.
Cloud Customer Responsibilities
Security in the Cloud
The term "Security in the Cloud" was coined by Amazon and refers to the security controls and processes we as customers of the Cloud Service are responsible for. The Cloud Provider gives the customer a powerful toolbox with which they can build out the Cloud landscape. It is up to the customers to ensure that the right processes and configurations are in place to secure the business service. Depending on the type of the Cloud Service, the responsibilities widely vary. An Infrastructure as a Service Provider (IaaS - e.g. EC2 on AWS) leaves the responsibility for a major part of the stack to the Cloud Customer, while a Software as a Service (SaaS - e.g. SAP Concur, SAP SuccessFactors, SAP Ariba, etc.) a major portion of the stack is managed by the Cloud Provider.
Independent of the type of Cloud service, we support our customers in assessing the security posture of their Cloud tenants. We specialize in the SaaS and PaaS services provided by SAP like SAP HANA Enterprise Cloud (HEC), S4 Cloud, SAP SuccessFactors, SAP Concur, SAP Fieldglass, SAP Ariba, but also major hyperscaler service providers such as Amazon AWS, Microsoft Azure and Google Cloud. We benchmark and score our customer's tenant configuration. We assess relevant customer processes and review the integration between Cloud and on-premise.
Cloud Provider Responsibilities
Security of the Cloud - Cloud Provider Responsibility
The term "Security of the Cloud" was initially coined by Amazon and targets the security posture of the Cloud Provider and all the services and infrastructure required to provide the Cloud service to the customer. The security of the Cloud platform, operations and development is not in control of the customer.
We help our customers perform due diligence in ensuring that the selected Cloud service fulfills the requirements on the enterprise. Ideally, this is done as part of the pre-sales activities and on ongoing regular basis. Some of the numerous questions that need to be answered are:
Does the Cloud Provider meet the regulatory requirements enforced on my enterprise?
Does the Cloud offering meet my data residency needs?
Does the Cloud Provider do all the right things to ensure that development and operations of the Cloud Platform is secure?
Are customer-facing penetration testing reports available?
Is there a security incident response process in place?
What are the response and resolution time SLAs for resolving issues?
Does the Cloud Provider meet my security monitoring needs?
Can customers collect log data and how granular is the collected log data?
Can I integrate with my existing SOC/SIEM infrastructure?
There are established frameworks that provide detailed guidance and set the expectations towards a secure Cloud Provider like:
Cloud Security Alliance - https://cloudsecurityalliance.org/