Cloud security: define data risks and assess provider
How comfortable are you with your confidential information in another’s hands? One of cloud computing’s consequences could be a loss of control. When processing is transferred to a third party, some of the responsibility for security and compliance goes with it; no wonder security professionals are nervous. Trusting your cloud computing service provider to handle your data securely is therefore essential.
In February 2011, the International Information Systems Security Certification Consortium (ISC)2 published its Global Information Security Workforce Study. It found that 92% of the 10,413 security professionals surveyed wanted to have a detailed understanding of cloud computing before being happy enough to implement it.
Industry bodies are already working hard on developing security best practices for cloud computing. Version 2.1 of the Cloud Security Alliance’s guidance on governance and enterprise risk management in the cloud gives advice on how to tackle cloud security issues. It recommends that part of the cost savings from cloud-based contracts be reinvested in the continued scrutiny of a cloud provider’s security.
“Information security governance should be a collaboration between customers and providers to achieve agreed-upon goals which support the business mission and information security program,” the guidance says. The customer’s responsibility includes defining risk tolerances for cloud-based services.
One of the first actions that enterprises need to take is to actually understand the nature of their organization’s data. “If the traditional rule of thumb for confidentiality in data classification is applied, 85% will be public (and cloud-ready), 10% will be internal (and therefore less suitable for public clouds), and only 5% will be secret and therefore entirely unsuitable for any open (discretionary) security regime,” says Rolf von Roessing, International Vice President of ISACA and member of the ISACA's Security Management Committee. The trick lies in understanding which data is which.
To help them do this, companies need to update their sourcing policies to ensure that security experts are part of every project team. They can perform a risk analysis to assesses the security and privacy aspects of the cloud computing solutions before engaging a service provider.
Once engaged, enterprises need to carefully define a set of security objectives to be delivered by the cloud provider. These objectives and associated metrics should be integrated in the service contract and regularly monitored during the whole service lifecycle. These IT security metrics should give enterprise the required level of confidence that the service provider is effectively protecting its information assets in a pre-defined and measurable manner.
As a postscript to this security blog, it’s worth watching this interview with Orange cloud computing expert Peter Glock, filmed at last years’ Orange Business Live! He explains how security in cloud computing needs to address the three key issues of confidentiality, integrity and availability (CIA) along with privacy and suggests approaches how enterprises can successfully meet these.