Security Monitoring for Cloud Services

When implementing our own, in-house, computer systems, we know that it isn’t sufficient to just build in beautiful security processes and controls and then leave them to work their magic. Good security requires continuous monitoring to determine when those controls need to be adapted to meet new environments or new threats. Monitoring may even be able to detect problems before they occur, or at least significantly reduce their impact when they do. Over the past decade we have learned a lot about how to monitor in-house systems: the increasing adoption of outsourced cloud systems means that cloud customers and providers need to learn how to monitor those as well. While security compliance audits can verify security measures at a particular moment in time, security monitoring ensures those measures continue to deliver the requirements of both customers and providers at all times.

ENISA has published a very useful guide and checklist to this process, covering a number of different areas of security monitoring that can be used for cloud services – service availability, incident response, service elasticity, data life-cycle management (backups, deletion, etc.), technical compliance and vulnerability management, change management, data isolation, log management and forensics. For each area the guide describes how a customer can identify the measurements that are most significant for their risk profile, how measurements can be done, which can be made independently of the provider, what signs of trouble to look out for, and what action may need to be taken when they occur. Some measurements can be derived from the cloud customer’s own records or its customers’ experiences, others may need to be incorporated into the contract with the provider, or at least notified to them. Clouds share the familiar security paradox that proactive measurement can easily look like an attack or reconnaissance for one and trigger automated defence mechanisms that can both invalidate the measurement and damage the service. Unlike most other services, stress testing the capacity of a cloud service can cost real money! The guide contains many practical examples that should help cloud users to determine which parameters and measurements are most important for their particular applications.

Although the main audience for the guide is public sector cloud customers who may be in a position to negotiate individual contract terms, it should also be useful to a much wider range of cloud customers and providers. Even for customers who are only offered standard contracts by providers, the examples and checklist should help clarify which parameters are most important to them, and therefore the most important things to compare in those standard offerings. It even seems to me that it might be useful for comparing in-house and cloud options, by highlighting if a service requires security metrics that aren't available under standard cloud contracts.