The deployment and use of cloud-based platforms and solutions at Enterprise-level is becoming increasingly popular as their true value is realised. When properly implemented cloud computing can dramatically improve a firm’s agility and productivity while simultaneously cutting costs.
Whilst the understanding of cloud platforms has advanced, security remains a worry for IT Directors when considering a cloud solution. But, does the biggest security threat come from the failure to ask the right questions when choosing a cloud provider? What do you need to know to ensure your data is safe?
The Cloud In Your Security Policy
The first mistake is the failure to integrate cloud security into their corporate security policy. Businesses would benefit from extending their current security policies to accommodate additional platforms, rather than creating a completely new security policy solely for the cloud. Questions that need to be asked when updating company policies are ‘where is the data stored and who has access to it?’.
Another misconception IT managers make is to presume that all service providers have the same level of security and that your data is automatically secure, or not secure depending upon your viewpoint. The latter is the best starting point, is a dangerous assumption to make that your data is secure; ultimately, it is you that is responsible for your own, and more importantly your customers’ data. Consequently it is important that a thorough review is performed of the cloud service providers’ technology and processes on topics such as application and data storage as these differ between providers.
It is important to understand who has access to the data outside of your organisation – as well as what level of encryption is deployed, where are the keys stored, who has access to the keys and is there any stages within the process that the data is decrypted – each application may handle these differently, so there may not be a single answer but one that’s based on each functionality deployed through the service provider. For instance data backup may handle security differently than say archiving as the applications behind the scenes may be from different vendors.
Know Where Your Data Is
Laws on data management vary from country to country, a fact that new users of the cloud can sometimes be unaware of; data that is secure in one country may not be secure in another. In some cases companies are unaware of what country their data is actually held in, this needs to be clearly defined from the outset, complying with the correct legislation and/or could be susceptible to specific threats that are pertinent to a certain country.
It is important to understand whether the service provider or cloud provider is subject to the US Patriot Act, this may not be a major issue if the security threats are addressed as above. Businesses often fail to store data in more than one location, or have sufficient data backup and recovery software in place to restore point in time recovery in case of data corruption or data loss. Your service provider often shares many of the same risks you do in your data centre – although many don’t and have steps for Disaster Recovery and Business Continuity well defined, tried and tested.
For a business intending on deploying the cloud then security is a primary issue. Without a strong focus on security when choosing a cloud provider you can relinquish control over your companies data. Don’t make assumptions about the organisations you are trusting with your data, check their credentials and make sure you’re asking the right questions, because in the minds of your customers the buck stops with you.