While some people still associate cloud with a lack of security, perceptions are changing. Proponents of the cloud industry say it is very safe, and highlight that like any other purchasing decision corporates must do their due diligence and ensure that they choose an established supplier.
One place to start is to look at their reference customers, are companies within regulated industries using them? Test the service – do not have your first encounter with cloud using highly sensitive application or database, but get a feel for how the environment works with a less important set of information.
Large companies with IT teams and security experts should make sure that those teams are involved in the due diligence process, and if they don’t have professionals in-house engage with an independent consultant.
Things to check include security policies for data centres, which should be at least equal to if not better than their own internal policies; how they handle change management; and arrangements for firewalls and access control. Businesses should fully understand and agree on service levels with the cloud provider including data recoverability.
In addition to this it is also important for a business to know what will happen to its data on the termination of a cloud service contract. How will the data be returned to the client? What will happen to the cloud infrastructure? For example will the disks the data was stored on be destroyed or overwritten?
One of the difficulties people have with cloud storage is that they do not understand how the cloud works, for example whether data is easier or more difficult to protect in a cloud infrastructure as opposed to traditional on-premise infrastructure.
Businesses must understand that in many cases the difficulty level is the same. Cloud providers will often undertake the same checks and balances and use the same protection. Those cloud service providers who operate systems for various clients may be more secure than on-premise platforms. Though those using a public cloud, where several organisations are using the same applications and/or infrastructure, can provide data security issues because of access control. What’s more other considerations, such as anti-virus software, firewalls and encryption are equally important whether on-premise or in the cloud.
Regulators have also displayed their commitment to safeguarding data, including what is in the cloud, through a raft of recent legislative activity. New EU legislation GDPR for example is aimed at simplifying and updating data legislation unifying different regulation regimes under one umbrella. It will mean that cloud providers as well as data owners will be liable for data breaches that occur. At the moment, it is the data owner rather than the hosting company that is liable.
There is also a specific level of fines proposed for data breaches, which is five per cent of a company’s annual turnover. The effect on cloud providers and hosting companies will be significant, and they will have to get their house in order to avoid potential punitive fines.
The cloud is fast becoming the easiest and most cost effective storage solution for businesses, but if cloud providers want to truly succeed they must not only convince businesses that the cloud is secure, but will need to be even more stringent with data to convince regulators that they can safeguard data effectively.
Five tips for staying secure in the cloud:
- Make sure to test the service before you sign over your application or database to a cloud provider
- Does your business have access to IT security experts? Get them involved in the due diligence process
- Check your cloud provider’s security policy. It should be at least as reliable as your business’ internal policy
- Know who the key contacts are at the cloud provider should there be a data leak or loss
- Understand your cloud provider’s back up schedule. Is it incremental? Is it real time? How far back do backups go?
Paul Le Messurier, Programme and Operations Manager at Kroll Ontrack.