“The cloud” buzzword dominates discussions these days, with talk about public clouds, private clouds, leveraging the cloud and moving applications into the cloud.
While cloud solutions offer financial and operational benefits, they also bring with them a host of security concerns that organizations must effectively address.
When evaluating the move of data, applications or infrastructure to cloud-based services, business and IT leaders must consider the following security issues.
One of the first issues raised by security professionals and functional managers alike when they consider cloud services is a fear that sensitive information placed in the cloud may be inadvertently disclosed to unauthorized individuals. This is a reasonable fear because some cloud services are inappropriate for sensitive information. Any plans to move this type of data offsite should be carefully thought out.
Organizations seeking a solution for sensitive information should evaluate the risk the same way they would evaluate services hosted in their own data centers.
Does the cloud service provide the same level of security control around systems that a business would have if it hosted the service itself? Does it meet a company’s standards for system configuration, network security, firewall management, malware management and other security issues? If not, consider taking that service off the table, at least as far as sensitive information is concerned.
Also be careful to make a distinction between public and private cloud services. Most security professionals would hesitate to place their most sensitive data assets in a public cloud environment where isolation controls may not be adequate to sufficiently segregate company data from that of other customers. Private cloud services, on the other hand, may have security controls in place that rival (or exceed) those in a business environment.
After making substantial investments in IT compliance over the past decade, many businesses are hesitant to consider outsourcing services that involve the storage, processing or transmission of regulated data. That’s understandable. However, the use of carefully vetted cloud vendors can actually reduce the burden of compliance for many organizations by spreading the costs and maintenance of many expensive security controls across multiple clients.
When considering deploying a cloud service in a regulated environment, make sure the legal ducks are in a row. For example, organizations subject to the Payment Card Industry Data Security Standard that are considering outsourcing any aspect of payment card operations must ensure that the cloud service provider appears on Visa’s Global Registry of Service Providers.
Organizations subject to the Health Insurance Portability and Accountability Act, on the other hand, must undertake their own investigation of the service provider’s security controls. In many cases, they must enter into a formal business associate agreement with the service provider.
Many organizations have built robust security monitoring processes that consume, correlate and analyze security log information created by a variety of devices and applications. These processes often leverage centralized security incident and event management systems and rely upon specialized security devices such as intrusion detection systems, file integrity monitoring systems, firewalls and content filters. In many cases, dedicated staff watch these systems on a regular basis to identify potentially malicious activity as early as possible.
It’s essential to carefully delineate the monitoring responsibilities of the cloud provider and those of the business’s IT staff. Perhaps the cloud vendor can provide intrusion detection and prevention services while the company’s IT staff monitors application security using centralized monitoring tools. Put these arrangements in writing and verify them periodically to avoid misunderstandings.
Security incidents are among the most stressful events facing an IT organization. Tempers flare, tension rises and everyone is under the gun to resolve the incident as quickly as possible. In such cases, the last thing a company needs is a cloud service provider that hinders its ability to gather information or take necessary actions to eliminate a security threat.
The solution here is similar to that for security monitoring: Be explicit about incident response duties in the agreement with the cloud vendor. Ensure that the vendor commits to providing timely, detailed notifications of any suspected security incidents. Finally, test incident response procedures on a regular basis, preferably including the vendor’s staff in the test.
Many businesses turn to cloud technology because the cloud service provider’s scalability and redundancy offers higher availability than the organization could achieve on its own.
To hold a vendor accountable to high-availability promises, outline company expectations in a service-level agreement and include significant financial penalties for the vendor if it fails to live up to the terms of the SLA. Always perform independent availability monitoring to evaluate the vendor’s success.
The ultimate risk in a cloud environment is that the provider will suddenly close its doors. This is the nightmare scenario that many IT managers sweat over at night — nobody wants to be the one who chose a vendor that later goes out of business. Investigate the vendor before signing a cloud contract.
If the vendor seems shaky, consider bringing in financial experts to evaluate the vendor’s books and assess its viability. Revisit the assessment on a periodic basis to pick up on early warning signs that a vendor might be failing. At the same time, back up company data either on premises or on a platform managed by a third party. Just keep in mind that many cloud vendors use services provided by other cloud providers, so make sure that all claims of redundancy are real.
Overall, avoid making sweeping conclusions about the security of cloud services. Instead, carefully assess the risks of every cloud service under consideration and determine whether the vendor will be able to meet or exceed the security standards used for in-house systems.