ComputerWeekly.com.com

How to assess the security of a cloud service provider

By Andrew Fitzmaurice

As businesses continue to put more of their information online, understanding cloud suppliers and agreements has never been more important

As a user, when my iCloud, Google Drive, Dropbox, etc. synchronise, seemingly by magic, across my smartphone, tablet and laptop, I do not want to know how the cyber plumbing works. I leave all that to the IT professionals. But can I expect them to warn me if I am taking unreasonable risks?  

Not really. If it is your own personal data then, in a way, it is your own choice if you want to put it at risk. But if you are storing personal data on behalf of an organisation, then the legal responsibility lies firmly with your organisation, and specifically your data controller, to get this right – the responsibility does not transfer to the service provider.

A data breach could leave you open to fines of up to £500,000 and prosecution by the Information Commissioner’s Office.  

So why would you even consider using the cloud and cloud-based technologies?

Hidden complexities of cloud computing

Cloud services are a vital part of today's mobility – many of us now want to access any of our data from every one of our devices, all the time, wherever we are. To do this, data has moved off our personal devices into the cloud. All this complexity is hidden from the user, and the global nature of the market provides keen competition. 

Costs for cloud-based services are, by and large, cheap, and in some cases the services are free at the point of use. Sounds too good to be true doesn’t it?

Whenever I am offered something that is free, especially when it comes to the cloud, understanding the business model has never been more important. I have decided that I am prepared to let Google harvest my internet activity in return for the benefit of my using Google Drive and similar cloud-based services. But does every user understand the choices they are making?  

Data breach fines issued by the ICO

With the complexity hidden from the user, data may be stored under foreign legal jurisdictions, potentially allowing governments and other organisations access to certain aspects of users’ personal lives. When was the last time you read and really understood the "end user licence agreement" before you clicked "I accept"?  

For small businesses, how do they know their data is safe? Am I breaching data protection legislation if I put my company’s personnel data into the cloud? What happens to my data if the internet startup I contracted with goes out of business?

Assessing cloud security

There are a number of ways to assess the security of a cloud service provider, ranging from inspecting their premises to asking if the provider has any third-party certification or accreditation to back up the service contract, so here are a few things that are vital to do:

more on cloud security

Other things to check include data destruction on contract completion and/or data recovery on contract termination. The above is not exhaustive, but serves as a guide towards the minimum steps required to use cloud services safely.

Do not get me wrong – cloud is great! Many organisations and individuals could not work without it now. But like so many new ideas, the benefits are seen and warmly embraced before the risks are fully understood.  

The IT industry has a duty of care to explain the benefits and the risks to users. A good starting point would be for those in the IT industry to set out some simple principles of what the user can expect from service providers so that users can understand the risks and then balance them against the benefits that cloud can undoubtedly deliver. 


Andrew Fitzmaurice is chief executive of Templar Executives.

19 Jul 2013

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement