“In a few years, no-one will consider how secure cloud computing is because there will be few alternatives.” These prophetic words come from cloud computing guru Nick Marshall, managing director of UK-based Giacom World Networks. Making the initial move to cloud computing is still a big step, however, and one not to be taken lightly. Security is a key issue, especially for organizations that must comply with the various regulatory compliance standards such as PCI DSS and HIPAA/HITECH.
For now, cloud computing is a viable option for companies that are looking to simplify and reduce the capital expenses to deploy, maintain, and access software, platforms, and infrastructure. And while consolidation and virtualization might make for a more manageable IT environment, these twin pillars upon which the cloud rests could pose a larger target for social engineering and other forms of attacks.
What’s more, for all its benefits, computing in the cloud means that some functions many organizations are accustomed to handling in house are taken over by vendors, so it can be a difficult proposition to “hand over the keys.”
Better Shop Around
Outsourcing arrangements traditionally have involved a contract and/or service level agreement as a tool for establishing expectations, gaining assurances, defining responsibilities, and transferring a portion of the risk to the vendor. A major difference between traditional outsourcing and some cloud services is that in some cases, cloud service providers use a one-size-fits-all approach in their terms of service.
Since your organization remains responsible for its information stored in the cloud, it is fundamentally important to shop around for cloud computing vendors and ask some tough questions. First and foremost, will the vendor provide transparency-and to what extent? If the vendor refuses to provide detailed information on its security measures, move on.
For vendors who are willing to discuss security measures in place, do they have the ability to constantly monitor cloud resource use, block unwanted traffic, scan traffic that is allowed for malware and alert administrators of any suspicious activity?
Who has access to the data? Ask vendors specific information on hiring and oversight practices for those with privileged access, such as administrators.
Due to the diffused nature of cloud computing, “location, location, location” takes on new meaning. If where your data is stored is important to your organization, ask the vendor if they have the ability to restrict storage to specific countries. What practices are in place to prevent your data from becoming intermingled?
Have an Out
Before heading into the cloud, it’s important to determine how your organization can get out. That means developing an exit strategy for parting ways with a service provider as part of your business continuity and disaster recovery plans. For example, how would you recover your data from the vendor, especially if the vendor shuts down?
Even if you don’t know where your data is at any given moment, a cloud service provider should be able to tell you what will happen to your data and service in the event of a disaster. Ask the vendor if it has they have the ability to perform a complete restoration, and if so, how long it would take.
BYOD Policies and the Cloud
Even for organizations that already have a policy on bringing your own device (BYOD) to work and remotely store data on public grade cloud computing services, cloud computing raises the issue of internal security. The popular file sharing platform Dropbox was breached recently, as was Apple’s iCloud. And just because your organization doesn’t use either service, that doesn’t mean some of your employees don’t. They may be storing company or client/patient information in a cloud service without your knowledge.
A commonly-mentioned reason for employees to save corporate data on their own devices is to be able to work on projects outside of the office when there is a lack of a suitable alternative supplied by employer. One way some organizations are dealing with that issue is to furnish trusted employees with access to accepted shared file storage platforms.
Another security issue with the potential for a straightforward fix is the elimination of one-password-accesses-all phenomenon. It is still not uncommon for employees to use the same passwords for multiple systems, such as their personal devices and Internet-based services. So, if an online cloud storage service used by an employee with the same password finds itself breached, an organization’s internal systems, such as email, could be hacked, too. One solution is to require employees to change their passwords periodically. Another is to move to a system of pass phrases, sentences or phrases easily remembered; to cut down on how often passwords need to be updated.
Ready to Make the Move?
The key to a sound cloud security strategy is to have a well developed information security program in place in your organization before you make the move. Such a program will provide the framework within which to evaluate how the various cloud providers’ security programs will best suit your needs. We recommend that you also make use of the resources available from the Cloud Security Alliance to help guide you.