Bolstering Security In The Cloud

Cloud computing is a game-changer for corporate IT. It can help companies to slash operational and infrastructural costs, while growing their businesses. There is a trade-off, however: security. How can companies make their corporate data safe, when processing it outside the organisation? Here are five critical success factors to help secure your assets, while taking advantage of the cloud.

Assess your assets

Cloud computing is an exercise in risk management. Some internal corporate processes will be more sensitive than others, and companies must decide which of them they would be happy to move to a third-party cloud service provider. Like any other risk management process, this calculation will be based on assessing risk against supposed reduced costs, by defining the data sensitivity and the benefit of processing it externally. Care must also be taken to ensure that the data is protected and secure whether it remains within the business or is held within the cloud provider.

Have a backup plan

Cloud-based services can fail. Indeed, several large services from significant Cloud providers have experienced problems in the past couple of years. It is possible to back up cloud-based data locally, depending on what model you’re using. Infrastructure-as-a-service (IaaS) provides virtualised machines in the cloud, giving companies maximum flexibility for backups.

Platform-as-a-service (PaaS) provides software frameworks and software libraries on which applications can be deployed, and many of these offer backup options. Even some software-as-a-service (SaaS) offerings, which provide canned, hosted applications and data with little customisability, can be configured for local backups.

Customers can further protect themselves when using IaaS by considering how they use this raw resource. One option is to use the IaaS supplier’s infrastructure as a secondary, overflow reserve of computing and storage power to cope with peak demand, rather than relying on it entirely as the primary computing mechanism.

Federate identity management in the cloud

Companies should implement a roles-based management system that assigns roles to employees, and binds system privileges and data access to those roles. This will prevent users from unauthorised access to internal resources and processes. Federated identity systems can extend this identity management to the cloud, protecting cloud-based applications and data using internally-developed authentication policies and access privileges.

Use Service Level Agreements

Businesses using cloud infrastructures must be certain that their data will be both protected and available. They must consider the service levels that a provider is offering. Some providers will now offer a set level of uptime for their SaaS infrastructures, for example, along with a payment guarantee if they don’t perform.

Audit cloud service providers

A cloud-based service provider should be willing to tell customers how it deals with internal problems. How does it safeguard against disruption? How does it reach out to customers in the event of a problem, and what is its escalation policy? It is also important to use a benchmark to evaluate its security posture. Sadly, security standards designed to focus explicitly on the cloud are still relatively immature. However, if a cloud service provider is certified using broad industry standards such as ISO 270001 and the emerging Cloud Security Alliance, it can provide some reassurance about the security of its information management.

Ultimately, however, cloud security isn’t just about the service provider. Businesses must understand their own responsibilities as custodians of their data, and their customers’, irrespective of the third party providers that they use. After all, if the worst happens, it will be your credibility on the line.

Over the last 15 years Tom Salkield has built up experience both in IT security technology and business management. Prior to taking up the position of Director of Professional Services(UK) with Integralis he was a Director at Capgemini, where he held senior leadership roles driving business transformation for clients facing security challenges. Previously, he established and built up the highly successful security practice at NetStore. At Integralis, Tom is responsible for growing the Managed and Professional Services operations expanding the portfolio of services and developing organisational capability to ensure that Integralis continues to be at the forefront of IT Security.