LONDON -- In the absence of established cloud computing data security standards to audit cloud-based service providers, companies wanting to move their IT to the cloud must apply due diligence before committing themselves to a supplier.
"Procurement needs to be done with great care in order to reduce risks. You need to use a lot of common sense," said Iain Bourne, head of data protection projects at the Information Commissioner's Office. Smaller organisations, which do not have access to lawyers and expensive consultants, are especially at risk. "What they need is a good set of contractual rules they can use to guide them," he said, adding that the ICO will soon issue a guide on the subject aimed at smaller companies.
Bourne's comments came at the Cloud Computing World Forum in London during a panel session, which he shared with Robert Johnson, head of front-office technology for Mitsubishi UFJ Securities International and Ron Brown, European director of cloud services for CSC Corp.
Johnson said it would be impossible for him to entrust financial information to the cloud because of suppliers' inability to provide evidential proof or a clear audit trail in the event of a breach. "Without those things, you cannot trust the cloud," he said.
Johnson added that it will take some time for the law and auditors to catch up with technological developments, and that, in the meantime, companies should apply common sense when deciding how to use cloud suppliers. "You can't store sensitive data out there [in the cloud] yet," he said. "But banks are like sheep. Once one does it, others will follow. However, we do need some standardisation of security in the cloud."
Brown agreed on the need for some standardised auditing rules that could measure a cloud supplier's security, but in the meantime he said CSC has built up a private list of cloud suppliers that it knows it can trust. "Twenty years ago, the auditors stopped companies [from] outsourcing their IT, but eventually they changed. The same will happen with the cloud," he said.
Bourne also hinted that the strict EU rules limiting where personal information can be physically stored will have to change. "The rules governing this are beginning to look arcane," he said, adding that a new EU data protection directive must give "more realistic treatment" to data.
"We can't control where information is, we just need to stay in control of the information the cloud suppliers collect," Bourne said. "I'd rather have a secure centre in Mumbai than an insecure one in Manchester."
Other security professionals agree that auditing standards are needed, but they will take some time to develop. Justin Pirie, director of communities and content for Mimecast Services Ltd., a supplier of managed email services, said: "It is hard for customers to tell the difference between a cloud vendor with a properly architected delivery infrastructure and one that has patched it together and is using cloud as a badge. Various standards initiatives are underway, but [the] cloud is so far removed from traditional IT that it is proving a complex task."
Until a suitable industry standard can be agreed upon, Pirie said, "it is vital that potential buyers of cloud services do their own due diligence and ensure the technology they use is robust, properly architected and secure."
In the meantime, advice on how to perform such due diligence is available in the form of the Cloud Security Alliance's downloadable best practice guide, the Jericho Forum's document on how to select applications for the cloud , and the Information Commissioner's Office's guide for handling privacy online and SME checklist (.pdf).