Can your organization enter the cloud securely?
Published by Dave Murray on February 17, 2010 at 3:25 am. Filed under Cloud Computing
With each new wave of innovation there are opportunities for increased productivity and cost reductions. Unfortunately new risks often accompany these opportunities. The buzz around cloud computing is that it is a key technology that will allow your organization to aggregate costs with other companies and obtain a more cost efficient solution. What many organizations are not discussing are the security risks these solutions can introduce if you choose the wrong provider or implement a solution incorrectly.
When considering a cloud computing provider it is important that you ask some tough questions. Make sure to check these key points before engaging with any provider:
1. Make sure the solution was designed and implemented with proper security and human controls. Know who has access. Get as much information as you can about the people who manage your data. Ask for specific information on the hiring and oversight of administrators, as well as the controls over their access.
It is really important to avoid vendors that refuse to provide detailed information on their security programs and procedures. Your organization needs to make sure the provider has clearly thought through and validated the policies, risk-control processes and technical mechanisms that are in place. Verify that an adequate level of testing has been done to confirm that service and control processes are functioning as intended; and more importantly that vendors can identify unanticipated vulnerabilities.
2. Find out how your data is segregated from other customers. Data in the cloud is normally in a shared location. It is important to find out what is done to separate data. Encryption is usually a key component of this separation. Make sure that the data separation methods used has have been thoroughly tested. Your organization should evaluate the trade-offs made in this separation and make sure these trade-offs are ones your company is comfortable with.
3. Understand that any solution is only as good as its recovery. Make sure that an effective disaster recovery plan is in place. Preferably with data backed up across multiple data centers.
4. Understand who your organization is dealing with. Do not assume your provider is financially viable. The natural human inclination is to believe that any company providing an online service or application is both financially qualified and technically able to provide this solution. One of the hard lessons learned with ASPs (Application Service Providers) when they were introduced was that the financial viability of an ASP is a key security consideration. When many of these early ASPs abruptly closed their doors during the “Dot Bomb” they often did it with data that was critical to their customers. These types of scenarios are why it is important to verify that your provider is financially viable. It is also important to find out what contingencies are in place if the provider does somehow go broke, get acquired, or experience some other disruption. Ensure your data will remain available if any of these unexpected events occur. It is also good to verify that the data will be in a standard (compatible) format that is easily moved into another environment.
By following these steps you can ensure that your company has a safe entrance and experience in the cloud computing environment, and enjoy the benefits without the risks.
The good news is that if cloud computing is implemented properly with a reliable provider, cloud computing can also be a security enabler. The Executive Director of ENISA, Dr. Udo Helmbrecht, underlines: “The scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics.”
To ensure your organization is safe Convergence extensively evaluates the companies, technology, security and internal policies of all the solutions we provide. Contact your Convergence representative to see if our secure cloud solutions are right for you.
