Cloud computing security is probably the most important area of concern for most businesses that are evaluating a cloud computing strategy for themselves. “The Cloud” essentially provides the option of storing and processing data on a device that is externally located and may or may not be shared. The extent to which the processing & storage is being shared determines the cloud deployment model: Public, Private & Hybrid. However, in the purest sense cloud is a shared & external location for the storage and processing of data. Now because the data is externally located and also shared, naturally means that the risk profile of the data has increased. But the increase in risk profile doesn’t mean that cloud computing is unsecure. In fact, given that most cloud computing service providers recognize the security risks of the cloud, they try to put in place time and effort to make their service offerings completely secure. Because of this concerted effort in this direction, it may actually be the case that your data may be more secure on a cloud server rather than on your office premise.
So it goes without saying that all service providers are making effort in making their cloud secure. But it also remains a fact that cloud computing increases the risk profile of your data and as such all businesses should recognize these concerns and try and evaluate their cloud provider on their ability to address these concerns. With this blog, we attempt to explain “Gartner’s 7 cloud computing security concerns” and also prompt the questions that should be posted to cloud service providers in order to evaluate their security:
Gartner’s 7 cloud computing security concerns
1. Privileged user access
The cloud takes your data physically away from you. You are no longer the custodian of your data. The custody of your data now is with the administrator appointed by your cloud service provider. It is this person or set of individuals who needs to be scrutinized before you trust your data with them. It is therefore essential to ask your cloud service provider for information on the people who will administer the cloud. There should be a mechanism by which these individuals are screened, evaluated, and appointed. Any service provider who is not upfront about its recruitment process and employee profile cannot be trusted with your data.
2. Regulatory compliance
There are external auditors who scrutinize the cloud computing security measures of any cloud service provider. They are an independent source of information on the cloud’s security. Any service provider you are considering should be willing to go through such audits. In cases the audit has already been done, you should request for the audit report to be shared by the cloud service provider. In fact, cloud service providers should willingly participate in audits. The audit can showcase and certify the cloud’s security.
3. Data location
Location is important from the legal jurisdiction standpoint. With the cloud, the data can be physically located anywhere. It depends on where the service provider is having its data center. Let’s suppose the data center is located in a place where the legal system is lax. In such a situation the cloud service provider can escape prosecution, in case it is complicit in knowingly or unknowingly compromising the security of your data. To avoid such a situation you should request your service provider to keep your data in a location that you are comfortable with and also execute proper agreements with your service provider which will force it to abide by the rules & regulations in the location.
4. Data segregation
The cloud in its purest form (public cloud) is shared between organizations. There are ways in which the data can be segregated from each other. It is important to know the ways the service provider is ensuring the data is segregated. Encryption is one such way. However incorrect encryption can almost make the whole data set unusable.
5. Recovery
Generally, cloud service providers replicate the data on at least a couple of locations. This is a way to ensure that the data can be recovered from a separate location due to any accidental loss. Any service provider who doesn’t back up the data is an immediate red flag. You should, therefore, request your service providers for information on the places where your data is getting backed up. If in case your data is not getting backed up, you should discontinue working with that service provider immediately.
6. Investigative support
There are various ways in which data security can be insured on the cloud. You can do deterrent control by warning users of the consequences of stealing your data. The largest subset of deterrents is preventive control, like with the point we discussed on screening administrators. Then there is detective control by using techniques to monitor intrusion attempts. Finally is the question of corrective control, for which you need investigative support.
Once you have suffered any data breach, investigative support enables you to find out the problem and limit its loss or prevent it from happening again. Your cloud service provider should ideally be under contractual obligation to co-operate in any investigation as and when required by you.
7. Long-term viability
You should also spend the time to investigate the market and financial standing of your service provider. It should not be such that the provider is a newbie in the market with nothing to lose. If such a provider sees a sustained cycle of financial distress it is likely to fold and leave you high & dry. Also, the service provider should have deep pockets to withstand a sustained period of stress.
Need help with Cloud?
Reach us at mktg@inapp.com or Contact us