Cloud Services are being increasingly used by all sizes of companies to manage their computing costs while using the latest technologies to reach current and potential customers. They are extending and enhancing the reach of their brand by embracing Social Media and containing capital and operational costs by using Cloud Service providers as suppliers and managers of these new technologies.
However, as always, there is no such thing as a free lunch. By moving their data and applications onto data storage managed by a third party, and usually in a different physical location they are increasing the potential for data theft and malware attacks.
Cloud Security therefore assumes a great significance in the selection of the Cloud Service provider.
What is Cloud Security, or as it is sometimes called Cloud Computing Security?
The official answer is that Cloud Computing Security and Cloud Security is a subset of the policies and procedures used in computer security specifically tailored for the Cloud environment. More specifically it is the hardware, software and operational procedures to protect data and applications in the Cloud. Because the safety of your data and your business continuity is now in the hands of third party, Cloud Security alone is not quite enough.
Firstly, it is a given that a key part of your security planning is a deep understanding of your business needs, of your outsourced supplier and how they propose to meet the Cloud Computing Security challenges.
New Security Environment
The EU has put forward some stringent security regulations in their GDPR project which are due to become mandatory in early 2018. The US DoD also have heavy requirements about data protection for their suppliers and contractors.
If you are outsourcing, does your outsource partner comply?
Outsourcing means you are handing over your business computing, your links with current and potential customers and suppliers to a third party. A loss of service could be a mild irritant or utterly catastrophic depending on your business. The ability of your selected service provider to manage potential threats and to react to them promptly if they happen is key to your sustaining your business. Remember there are no infallible security systems, only those that haven’t been breached yet.
A robust and certified data centre with access control is needed. A guy working out of his garage just doesn’t cut it. The key thing is to confirm that the supplier has minimised the possibility of service disruptions because of power and equipment failures and maximised the ability to recover from them quickly. Look for UPS, backup generators, backup internet connections and reliable brand-name hardware. Ideally, the data centre should be certified. There are various certification schemes in play for various industries. Credit Card companies have strict data centre specifications before an organisation can issue and process branded credit cards under their label.
Having outsourced, management and control of the operational environment is now out of your hands. Security may slip down or off the radar of both you and your outsourced supplier.
As a precautionary measure, you need to ensure that regular, and enforced, security reviews with the service supplier are an integral part of the outsource management routine. A potential area of concern that needs to be monitored is whether software changes have altered your security settings.
Outsourced Data Security
Most outsourced suppliers are multi-tenant, in that they host several different companies on the same hardware platform. They also use third parties to provide specialist services.
This environment brings a major area of risk in that there will be a dramatic increase in the number of people who have access to your data. In that group, there may be an individual who can be persuaded to steal your data or take actions that will harm your business.
A solution is to encrypt your cloud-based data. Only authorised users in your company have access to the keys that allow them to see the unencrypted data. The cloud services provider does not have them. In short, the provider is the custodian of the data, not the controller.
The service provider must not be allowed to create and maintain user profiles on the system, in both the system itself and in any applications.
A very important area is that of malware. The provider must have industrial strength malware protection and documented recovery and restore procedures if they are hit by malware.
There are also many other subsidiary issues around security of data. For example, many organisations consider a security audit is a necessary part of a regular compliance procedure.
All in all, though most large service providers are vigilant and well-prepared, you also need to be prepared.