"My company's data is much too sensitive to be stored in the cloud."
That's probably the most common justification you'll hear for not considering switching from applications run in the corporate data center to ones managed by a service provider and run in the cloud. The implication is that if you move your data to cloud storage, you will lose control over it and it will therefore be less secure.
Yet the potential benefits of cloud computing are well known -- they include
- Lower capital outlays
- Fixed, known monthly costs
- Low management overhead
- Immediate access to technology
It would be wrong to say all organizations should move all their computing tasks to the cloud, but it's almost certainly the case that many organizations could profit from the benefits described above -- if the security risk, real or perceived, could be reduced.
Perceived may be the key word here, as there's no obvious reason to assume a specialist cloud computing service provider will necessarily be any less able to provide good security for the data it has under its stewardship than the company that owns it.
There's also no obvious reason to assume that any service provider will be more able to provide good cloud security, and that means you will need to carry out due diligence, work out what the cloud security requirements are for your data, and check that a given cloud computing service provider can meet those requirements, according to Martin Blackhurst, a security specialist at UK-based consultancy Redstone Managed Solutions.
Although specific cloud security requirements are likely to vary from organization to organization, Blackhurst recommends, at the very least, asking cloud computing service providers under consideration the following questions. They can be broken down as relating to people, data, applications and infrastructure.
- Where will my data be stored?
- What controls do you have in place to ensure my sensitive business data is not leaving the virtual walls of your business?
- What are the borders of responsibility?
- How do you ensure my applications are not susceptible to emerging application security threats?
- How do you detect an application is being attacked in real-time, and how is that reported?
- How do you implement proactive controls over access to my applications -- and how can you prove to me that they are effective?
After you have received satisfactory answers to all of your cloud security questions, it comes down to whether the service provider's answers are credible. "If you know your security requirements, and the cloud provider assures you it can meet them, and all your risks are covered by your provider, then that just leaves trust," Blackhurst said. "If you are still worried about security despite their assurances, then you don't trust them, and that means you might have chosen the wrong service provider."
Getting the right level of security from a cloud computing provider is a matter of risk management, Blackhurst added. To achieve optimal security, you must concentrate on ensuring the cloud security measures in place protect you where you are most vulnerable. "Optimal security is an enabler. If security is too tight, then your businesses won't be able to grow. If you get it right, then the rate at which you can adopt new technologies will be higher."
Compliance and Governance
Another area related to cloud security that is key for many companies considering moving data to the cloud is compliance and governance. It's obviously important that the security provided covers the compliance and governance area, but it's vital that the service provider can also provide reports to prove you are in compliance. "You are going to need to provide certain information at audit time, and if your supplier can't provide you with that information, then you will come unstuck," Blackhurst said.
Important questions to ask include
- Can you help achieve or sign off on compliance with any security-related regulations such as PCI, or with any related internal policy requirements?
- What is your approach to remediation and management of compliance-related services?
- Can you provide reports on them if I need to show compliance?
Before choosing a service provider, Blackhurst had a few more tips. He recommends
- Evaluating a minimum of three different providers that can meet your security and compliance needs
- Comparing the total cost of each solution
- Establishing what "get out" there is for each solution -- how easy would it be to move your data to another service provider, or even back in-house, if the need aries
Finally Blackhurst re-iterated the point that, as with any outsourcing deal, using a cloud computing service provider will work only if you trust it to deliver what it promises.
That's because, ultimately, the buck stops with you.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.