Cloud computing is all the talk amongst businesses today. Over the next couple of years cloud computing has the potential to drastically transform the way in which organisations perform computing. The benefits of cloud computing are easily recognised, it offers increased storage, flexibility and most importantly cost reduction. All of these benefits are essential for assisting in the growth of a successful business. The Cloud will impact IT departments, architectures, how operations are run and the most controversial aspect to date, how securing the cloud will be ensured. The clouds outstanding benefits are attracting many organisations; however the one aspect holding most back are the questions relating to the security of the cloud, how secure is ones data when in the cloud and can the security risks be overcome to ensure a secure environment.
Potential cloud security risks to take into consideration, and possible steps to take to reduce the risks
1. Where is your data located
When utilising the cloud technology the chance of one not knowing the location of ones data, where it is hosted or even which country it is located in is very likely. A step closer to trying to secure your data is to agree with the vendor to keeping and processing your organisations data in a particular area. You could also enforce that they abide by the requested jurisdictions privacy requirements, thus keeping the integrity of the data. Different jurisdictions will be governed by different laws and even different encryption requirements and encryption export laws. It is important to observe these laws and ensure compliance or potentially face a fine or legal action.
2. Is your data secluded
Cloud technology works well in that it is able to store many organisations data in a shared environment, thus reducing costs. Customer’s data is thus together in the cloud. The vendor needs to ensure that the data is segregated to reduce security risks. One way to do this is by utilising encryption methods to encrypt the data allowing only specific individuals access to the key. The Encryption methods need to have been thoroughly tested in the environment to ensure that they will be effective.
3. Is privileged user access utilised
Sensitive data processed outside the organisation brings with it a characteristic level of risk, as outsourced services evade the security measures that IT departments enforce internally. Trust is now being placed on outsiders, thus bringing them into the organisation. To decrease the risk one can obtain as much information as possible with regards to the people in contact with your data, and information over how the access to your data is controlled.
4. Does the vendor comply with the necessary regulations
At the end of the day the organisation is ultimately responsible for the security and reliability of their data even if it is held outside the company, within the cloud. To ensure that the necessary regulatory compliances are being adhered to, the vendor should be able to demonstrate to external auditors that the organisations data is secure through providing transparency into all activity’s taking place in the cloud with regards to their data.
5. Disaster recovery options
As much as we would all like to believe otherwise, disasters are always waiting to happen. The organisation needs to be prepared with the correct tools in order to recover. The cloud provider or vendor must be able to inform you of what should happen in case of a disaster. It is essential that multiple sites exist where ones data and application infrastructures are replicated.
6. How to go about investigating unfitting or illegal activity in the cloud
Cloud services lend themselves to being particularly difficult to investigate or near impossible. Due to its nature, logging of data of more than one customer is likely to be found together, also hosts and data centres are constantly changing. Therefore the process of investigation is almost impossible unless the vendor has a tried and tested method that they are able to demonstrate and use effectively.
7. Server elasticity
As previously noted one of the benefits of cloud technology is the fact that it brings about a great degree of flexibility. This could be problematic in the case when the hosting server needs to be provisioned or de-provisioned to reveal the current capacity requirements. Some servers may be reconfigured frequently, without your prior knowledge. This may be challenging to some of the technologies your organisation is relying on within the cloud, as the environment does not lend itself to being static. This is difficult when it comes to securing the data, as traditional methods of securing data rely on an understanding of the network infrastructure, however if it is forever changing and is not constant those security measures would not be suitable.
8. Service Provider downtime
This is a fundamental measure of security often overlooked. The downtime a service provider experiences could be detrimental to your organisation. Reliability with regards to this is essential.
9. Viability for your organisation in the long term
Something to consider when looking for a cloud provider is the viability in the long term. One will need to consider the possibility that you are no longer able to use that particular cloud provider, what routes would be used to ensure the secure transfer of you data to another cloud provider and how you would be able to maintain the integrity of your data.
Cloud computing reduces operational management by the organisation; however the organisation is still held accountable, even though operational responsibilities are held with one or more third parties in the cloud. Therefore when using cloud technology the vendor or cloud provider you choose should be one you are able to trust, one that is completely transparent, with all the information you require and one that has answers to all your questions and holds nothing back.
Companies need to be vigilant; they need to move in with eyes wide open. Not only do they need a trustworthy relationship with the vendor or cloud provider but also need to gain as much information about the third party companies involved that could potentially access their private data. One should also investigate the hosting company used by the provider and possibly seek an independent security audit of their security status.
Security infrastructure is becoming programmable. Like the way organisations pool resources together with regards to computing, cloud security could pool security resources together to ensure privacy and integrity of data in the cloud.
The more insight one has of the potential risks, the more effective one will be at trying to avoid, minimise and control these risks.
Cloud technology is happening all around us and it is moving upon us at a rapid pace. Whether we embrace it, is just a matter of time. The questions of its insecurity’s may be valid but when looked at, is the situation very different to what we are already deliberately placing ourselves and our organisations into today. Many companies already physically outsource parts of their business which handles very sensitive data, for example payroll processing. We may want to believe we have control, however we are quickly handing our control over to others willingly. The biggest hurdle prohibiting cloud services is the ability to trust. Like we trust the service providers that we outsource our payroll processing and many other data sensitive jobs to, we need to trust the service providers of the cloud services. As the technology moves forward in the years to come security will no longer be a concern surrounding the adoption of cloud technology, these hurdles would have been overcome and something new will be the concern.