Cloud computing can help organizations break down the physical barriers of IT infrastructure for end users, delivering benefits and cost savings that were incomprehensible a decade ago. But, as with so many other technical choices, good things come along with the bad.The utmost concern for all CIOs according to a recent Gartner survey is cloud services. And, security is a two-sided coin in cloud computing—there are pros and cons. And most importantly, heightened security threats need to be overcome in order to benefit from this new computing paradigm.
The first and most obvious security concern around cloud computing is privacy. That is, if another entity is housing all your data, how can you be sure that it’s safe and secure? You can’t. As a starting point, assume that anything you put on the cloud can be accessed by anyone. This is also a concern because law enforcement has been able to access data maintained within a cloud more easily than from an organization’s premise-based servers.
The best plan for the immediate future is to not perform mission-critical work or work that is highly sensitive on a cloud platform without extensive security controls. If you are unsure about the security required for highly sensitive applications or data, stick to applications that are less critical and therefore better suited for the cloud and more “out of the box” security mechanisms, such as your email systems, video hosting, web hosting, etc.
Understanding the risk profile
The next security concern is evaluating the controls, security and levels of visibility, that the cloud provider (in-house or external) gives its clients. The biggest threat is not understanding the risk profile the cloud brings to the table. Part of the evaluation should focus on its infrastructure, which could be dedicated or shared among other customers. If it's shared, what's the risk of other customers taking actions that could put your information or privacy in jeopardy? Companies using cloud services should evaluate the provider's risk profile on an ongoing basis and not just at the outset when soliciting bids.
Building strong security can also include writing security requirements into your contracts with cloud-service providers and following up to make sure these requirements are being met. To thoroughly evaluate the security posture of an external cloud vendor, you have to pore through the security documents making sure that key questions such as the below are answered.
- In which country(ies) is the cloud provider located?
- Is the cloud provider’s infrastructure located in the same country or in different countries?
- Will the cloud provider use other companies whose infrastructure is located outside that of the cloud provider?
- Where will the data be physically located?
- Will jurisdiction over the contract terms and over the data be divided?
- Will any of the cloud provider’s services be subcontracted out?
- Will any of the cloud provider’s services be outsourced?
- How will the data provided by the customer and the customer’s customers, be collected, processed and transferred?
- What happens to the data sent to the cloud provider upon termination of the contract?
Security of your data
Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and being accessed by cloud-based applications. Find out, too, if the provider securely disposes of your data, for example, by deleting the encryption key. In addition, make sure the data stored in the cloud is backed up and that you’re also applying the same provisions for securing data to the PCs and laptops in your office. Certification summaries (e.g.SAS70 certification.) on their data processing and data security activities and the data controls are testimonial to address one of the key risk exposures.
If you think that's the end of your concerns, hold your horses. I have just only scratched the surface. In the next part of my blog, I will reveal more. Stay tuned.
I was born in Singapore, an island which has a mere population of 5 million people. I truly believe I was born with a purpose to fight criminals in this world. Having failed the entrance test for the Avenger League several times, I joined Orange Business to fight crime in another role as Security Practice in APAC. I'm pinning on the hope that I will be called up for duty to join the Avenger League.