Cloud computing has long moved on from being the groundbreaking new tech to becoming something that most companies use. Data security in the cloud has been the topic of much concern and discussion since the cloud’s very beginning, and rightly so, given its complexity. There are at least two of the many aspects of ensuring your data is secure that should be addressed by an organization as the first measure of securing their data in the cloud. First is the organization’s own internal environment’s security. Second and usually the most discussed is the security of the cloud solution’s provider.
While most cloud vendors treat security as a critical component of their offering, the fact remains that there are still some risks that come with using cloud computing. It is up to you as a client to know how to protect your company from these risks as best as possible .
When it comes to security, of course, infrastructure plays an important part as well.
When using any cloud solution, from SaaS to cloud hosting, you are in fact handing over sensitive data, your own or your client’s to another company. The way that data is stored, managed and later, if necessary, transferred is one of the most important things you need to address especially when you shop for a cloud provider.
This is where audits come in handy, whether we are talking about an external one, or one done by your IT department, taking a closer look at your vendor’s security. So, what should one have in mind when we talk about security in the cloud?
Having well-defined security requirements.
All your security requirements need to be clear, taking into consideration your company’s policy, legal and regulatory obligations. A strong Service Level Agreement (SLA) is the one that will ensure that should disaster strike, or infrastructure unavailabilities, distributed denial-of-service (DDoS) attacks, and other possible scenarios happen, you are covered. Make sure that you have a well put together disaster recovery plan in order to ensure that you can have business continuity.
Properly checking your potential cloud service provider
Asking the right questions will help you get a better picture of the vendor’s security measurements. Here are some examples:
- Does the vendor have an overall quality system that addresses organizational structure, responsibilities, processes and resources?
- Does the vendor review the procedures periodically (i.e. the quality system) ? Do you include in these reviews audits, customer feedback, process performance and issues, and changes?
- Does the vendor have any formal risk assessment process to apply to your own or your customers’ information?
- Has the internal audit function performed a security or application audit?
- Have other companies (public accountants, specialists, other customers) conducted security or application audits?
- Have any security control reports been performed such as SOC1/SSAE 16, SOC2 or SOC3?
- If so, can the company provide a copy of your most recent SSAE16 or other security control report?
- Does the vendor offer access to the Environment Log and Systems?
- Does the company perform Vulnerability Analysis and Ethical Hacking?
- Does the company offer monthly, quarterly or annual reports?
One other thing you need to focus on is if your vendor has all the relevant certifications, such as ISO 9001, 27001, PCI DSS, SSAE16/ISAE 3402.
You will also need to take care of the possibility of changing the provider. And that is an issue that needs to be addressed from the very start. Basically, your contract needs to have a very clear overview of methods used for data disposal, server storage, and backup tapes. The methods used for these are also something that needs to be clearly established from the very start.
Last, but certainly not least, you can make sure that your vendor agrees to be externally audited by a person from your company from time to time, to make sure that everything that was agreed upon in the contract is in place and followed through.
Once you have the answers to these questions nice and taken cared of, you can say that you have taken the first steps to ensure that your company is as secure as possible. In the end, as any technology, cloud computing has its risks, but with a good due diligence strategy, you can help keep yourself out of trouble.