Sign up to our newsletter
What would your reaction be to someone who told you that “The Cloud” is so secure you don’t need to do anything else to protect your data? I would hope that your reaction would be somewhere between the RCA Dog head tilt and Dramatic Chipmunk. But from anecdotes I’ve been hearing, this gem of very questionable advice is becoming increasingly common.
The truth is, Cloud Computing is not some magic security sauce that you can liberally apply to make your data safer. It’s unfortunately apt that two dictionary definitions of the word “cloud” are “making less clear or transparent” and “cause of gloom, suspicion, trouble, or worry”. Cloud services are very much what you make of them, and you need to apply at least an equivalent level of rigorousness, in terms of risk assessment, as you would with assets that are hosted on your own network.
Because the Cloud can make risks and responsibilities less clear, you’ll need to be extra dogged about asking vendors what steps they take to secure their services. When choosing a new vendor, you should be thoroughly vetting their security policies and procedures. It’s also a good idea to clearly spell out what responsibilities fall to the vendor and what you need to do on your organization’s end to protect yourself.
Before approaching a vendor, you should be clarifying the answers to a few questions about the needs of your organization:
Will you be using the Cloud simply to store files, to host software applications, or to host virtual machines?
Your Cloud could be deployed publicly, privately, or somewhere in between depending on your specific needs and tolerance for risk.
Keep in mind that the Cloud is another way of saying “someone else’s computers”. Quantify how much risk it would create for your organization if this vendor were to experience a breach or go out of business.
In keeping with the Principle of Least Privilege, it may be that not all of your users need access to the Cloud in order to do their jobs effectively.
Each industry has its own relationship with the alphabet soup of national and international data security regulations. Something that would work well for a retail establishment may not be sufficient for a legal or financial business, for instance.
Training and education are crucial to making sure best practices are followed. These should be spelled out for Cloud services explicitly, so that users know what constitutes safe behavior.
This goes for both the Cloud vendor and your users, though consequences for the former will likely be the product of negotiation or existing Service Level Agreements. It should be clear to all concerned what will happen if someone fails to live up to their responsibilities in safeguarding your data.
Once you’ve clarified your goals and boundaries for Cloud services, you can start asking vendors about their procedures. The Gulf Cooperation Council eGovernment site has a document discussing Cloud Computing policy that includes (in Appendix A) a very thorough list of questions that could be great food for thought as you come up with your own list of questions for vendors. Here’s a list of possible topics you may wish to consider:
Clouds don’t have to bring opacity or uneasiness, if you do some homework before implementation. The ability to access files and services from wherever you are is a powerful one, which can either introduce new risks to your environment, or it can be an opportunity to enlist the services of a trusted partner to improve your overall productivity. The coming of Clouds can actually clear the air and provide a welcome respite.
Author Lysa Myers, ESET