We often hear from clients that they are hesitant about moving their internal systems into the cloud because of security issues. The reasons range from availability of the systems to the information getting hacked as it transfer over public data lines. Securing critical business data is certainly an absolute must and ensuring constancy access to that data is just as important. Fortunately with the advances in Cloud computing not only has the technology eliminated the security issues; cloud computing will likely improve data availability to your company.
As you consider the move to a Cloud based system it is important to look for transparency with respect to vendor services, and avoid companies that fail to provide a comprehensive overview of security procedures. It is always a good idea to ask as many questions as you can concerning policy guidelines; security architecture such as encryption, firewalls and other technical features; and to what degree the vendor can verify that service and control processes are functioning correctly. Things to look for are:
- Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data.
- Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are not worth the trouble.
- Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether or not they will contractually abide by it.
- Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists.
- Recovery. Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a digital catastrophe. Ask your provider if it has the ability to do a complete restoration, and what sort of time-frame is involved in accomplishing this.
- Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing. See to what degree the vendor will contractually support investigative activities.
- Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired by a larger company. But it is up to you to ensure that your data will remain available even after such an event. Ask potential providers what sort of assurances they can commit to in such an event.