Cloud security is still a major concern for organisations using cloud services and for those considering using them.
This HP white paper explains the five biggest risks and ways of mitigating them.
1: Managing cloud data
If an organisation puts its data into the cloud to be managed by a cloud service provider, if there is a data breach at the provider's end the cloud user is still responsible for the breach under most compliance regimes.
That means if customer details go missing or medical records are wrongly accessed, the cloud customer is responsible for putting things right and may also be responsible for any financial penalties under any national data protection regimes.
Although many cloud deployments are protected by automated processes in the data centres of the cloud provider, customers must clarify with their provider as to what security systems are in place, including physical security for the building and the screening systems used to manage data centre employees.
They should consider the data flow between their organisation, the cloud service provider, and any customers, partners or other cloud connections. Such a data flow will show how data can move in and out of the cloud, illustrating the security requirements.
As well as considering security hardware and software options, companies should also consider data encryption schemes, audit and data retention policies, and re-assurances sought from the cloud provider that their service can meet the industry compliance demands of the customer.
It is only after these checks that an organisation is on the way to safely putting its data into the cloud.
2: A lack of cloud security standards
Regulatory compliance has been mentioned above, and while there are already established general IT security standards, there are a lack of standards covering cloud security specifically.
Some countries, including Singapore, are already promoting specific security guidelines covering what security customers should expect from their cloud service provider in relation to specific cloud services, but such guidelines are few and far between.
Most countries are leaving it to the market to decide, which has seen supplier-backed cloud industry organisations being formed to promote basic cloud security checklists, and getting those groups of suppliers to include certain protection in their cloud services.
While welcome, such initiatives should not be solely relied upon by cloud customers. When it comes to the cloud they should approach security in a similar way to any other IT contract with an outside provider - and carefully make sure that the contract they sign has data security comprehensively covered.
3: Data location
Data location and cloud security has a number of facets. If a single cloud provider is being used, what happen if that cloud provider has a major outage?
This has already happened to cloud market leaders like Amazon Web Services and Google on a number of occasions in the recent past, leading to customer data not being accessible and applications not being available.
Therefore, whatever cloud provider is being used, it is important for cloud customers to back-up their data in locations under their own control and/or potentially use more than one cloud provider.
If one cloud service provider suffers an outage of any kind, there are data virtualisation technologies that can be used among the different cloud providers serving the customer. They allow customer data to be replicated and made available to the customer after an outage - if the data replication systems are put in place beforehand.
The national location of the data being put into the cloud is also important. The jurisdiction over that data is commanded by the laws of the country in which it resides.
While say, a cloud customer may be based in Germany, and have to answer to German law, if it uses a cloud service provider which is US-based, that provider answers to US law when it comes to potential US governmental access to the customer's cloud data - under crime prevention and anti-terrorist statutes.
At the same time this may mean that the German company is potentially breaking its own national data protection laws by using a US cloud provider.
Cloud customers must therefore be clear about the potential international access to their data, and choose their provider carefully after considering their national laws.
4: Supplier business continuity
If a cloud service provider goes bust or is acquired by another company, this could have obvious implications for their customers' data.
Customers must ask the right questions in readiness for the outside chance their supplier has a business continuity problem. They must make sure their data is safe and that they have access to it in time of strife.
They must ask potential cloud service providers how they would get their data back, and if it would be in a format that they could import onto another replacement platform - whether onto an on-premise one or a system at an alternative cloud provider.
In any such cases the importance of previously mentioned data back-up systems can not be over emphasised, and free access to customer data must be written into cloud contracts to cover any possibility that the provider may face difficulties in the future.
5: Not taking a risk-based approach to security
Cloud security isn't just about adequately updating hardware and patching software, firms must go through their entire processes.
If firms do not take a risk-based approach to cloud security, they may end up wasting money on unnecessary security or even putting processes and apps into the cloud that shouldn't be there.
The bottom line is that not all risk scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider, or extensive security controls might be deemed as "over the top" for relatively low value data being moved to cloud-based storage platforms.
Organisations must assess their network for cloud suitability, consider how to handle their unstructured data, and decide what data and applications they can reliably and securely put into the cloud.
They must also complete a user impact assessment, consider how legacy systems can be integrated with cloud applications and systems, plan a cloud migration strategy, and educate users about safe cloud use.
This can be hard in terms of internal skills available at many firms, which is why a large number use cloud integrators and service companies.
After going through these processes organisations should be clearer about what they are moving into the cloud, their risk tolerance, and which type of cloud provision suits them. With this in front of them, they can then decide on the best security protocols and security systems to be put in place.