Cloud computing security is probably the most important area of concern for most businesses who are evaluating a cloud computing strategy for themselves. “The Cloud” essentially provides the option of storing and processing data on a device which is externally located and may or may not be shared. The extent to which the processing & storage is being shared determines the cloud deployment model: Public, Private & Hybrid. However in the purest sense cloud is a shared & external location for storage and processing of data. Now because the data is externally located and also shared, naturally means that the risk profile of the data has increased. But the increase in risk profile doesn’t mean that cloud computing is unsecure. In-fact given that most cloud computing service providers recognize the security risks of cloud, they try to put in place time and effort to make their service offering completely secure. Because of this concerted effort in this direction it may actually be the case that your data may be more secured on a cloud server rather than on your office premise.
So it goes without saying that all service providers are making effort in making their cloud secure. But it also remains a fact that cloud computing increase the risk profile of your data and as such all businesses should recognize these concerns and try an evaluate their cloud provider on their ability to address these concerns. With this blog we attempt to explain the “Gartner’s 7 cloud computing security concerns” and also prompt at the questions that should be posted to cloud service provider’s in-order to evaluate their security:
1. Privileged user access: The cloud takes your data physically away from you. You are no longer the custodian of your data. The custody of your data now is with the administrator appointed by your cloud service provider. It is this person or set of individual who needs to be scrutinized before you trust your data with them. It is therefore essential to ask your cloud service provider for information on the people who will administer the cloud. There should be a mechanism by which these individuals are screened, evaluated and appointed. Any service provider who is not upfront about its recruitment process and employee profile cannot be trusted with your data.
2. Regulatory compliance: There are external auditors who scrutinize the cloud computing security measures of any cloud service provider. They are an independent source of information on the cloud’s security. Any service provider you are considering, should be willing to go through such audits. In cases the audit has already been done, you should request for audit report to be shared by the cloud service provider. In-fact, cloud service providers should willingly participate in audits. The audit can showcase and certify cloud’s security.
3. Data location: Location is important from the legal jurisdiction stand point. With the cloud, the data can be physically located anywhere. It depends where the service provider is having its data center. Let’s suppose the data center is located in a place where the legal system is lax. In such a situation the cloud service provider can escape prosecution, in case it is complicit in knowingly or unknowingly compromising on the security of your data. To avoid such a situation you should request your service provider to keep your data in a location which you are comfortable with and also execute proper agreements with your service provider which will force it to abide by the rules & regulation in the location.
4. Data segregation: The cloud in its purest form (public cloud) is shared between organizations. There are ways in which the data can be segregated from each other. It is important to know the ways the service provider is insuring the data is segregated. Encryption is one such way. However incorrect encryption can almost make the whole data set unusable.
5. Recovery: Generally cloud service providers replicate the data on at least a couple locations. This is a way to insure that the data can be recovered from a separate location due to any accidental loss. Any service provider who doesn’t backup the data is an immediate red flag. You should therefore request your service providers for information on the places where your data is getting backed up. If in case your data is not getting backed-up, you should discontinue working with that service provider immediately.
6. Investigative support: There are various ways in which data security can be insured on the cloud. You can do deterrent control by warning users of consequences for stealing your data. The largest subset of deterrent is preventive control, like with the point we discussed on screening administrators. Then there is detective control by using techniques to monitor intrusion attempts. Finally is the question of corrective control, for which you need investigative support.
Once you have suffered any data breach, investigative support enables you to find out the problem and limit its loss or prevent it from happening again. Your cloud service provider should ideally be under contractual obligation to co-operate in any investigation as and when required by you.
7. Long-term viability: You should also spend time to investigate the market and financial standing of your service provider. It should not be such that the provider is a newbie in the market with nothing to lose. If such a provider sees a sustained cycle of financial distress it is likely to fold and leave you high & dry. Also the service provider should have deep pockets to withstand sustained period of stress.