I recently wrote a KuppingerCole analyst report on how cloud computing brings the threat of industrial espionage to the fore. With this in mind, it must be asked whether using low-cost or free services is ever a good idea.
While there is clearly a risk to the confidentiality of your sensitive information in cloud computing, the question remains as to whether industrial espionage is an internet-era or cloud-era problem. The internet made this type of attack exponentially more possible, but cloud has put sensitive corporate information directly and willingly into the hands of a third party.
Governance in the cloud is complex, and requires thorough consideration from the outset. The legal environment of the cloud is global, and needs to be clarified before technical setup. Once the legal environment is clear, make sure your operational requirements can be met. Ask your business the following questions:
- Do you need to put your highly sensitive data in the cloud? If you can avoid it, do so – you are more likely to be able to protect it better on-premises. In the low-cost/free world, you will certainly be able to protect it better on your own terms. Agree a level of risk you are happy with and perform a proper risk assessment that ensures any data above this level of risk is not exposed. You may be happy with transaction details being held in the cloud, but not customer credit card information, for example. Tokenisation solutions are available to deal with the latter issue.
- What happens when the provider experiences downtime? What are its service level agreements (SLAs)? Do they meet with your requirements? If you need the storage to be available 24x7 and the provider only provides a guaranteed 9x5 service, consider what you can do outside working hours to mitigate – local data stores and asynchronous delivery, for example.
- What happens if your provider pulls the plug? Do you have backups of all sensitive data? Ensure all data is backed up and encrypted to a write-once read-many (WORM) device or tape somewhere under your control. Make sure that the data in their possession is either returned to you or ask to see a destruction certificate. This requirement needs to be in an original contract. Some operators will not agree to this level of control, so again you have to ask yourself whether the level of risk is acceptable.
- What would happen if your competitor acquired the company processing your data? Not so pie-in-the-sky these days. Does your service definition protect your data from being copied and worked on offline, at least in legal terms?
So, we can see that from the outset, the best approach is to define the value of your data assets, perform a risk assessment and consider all eventualities in governance.
Encryption, authentication and authorisation
Once you are happy with the level of risk involved in putting data in the cloud, encrypt everything and ensure your access controls are sound. Report on the access regularly, and ensure that any incident management processes at the provider include an immediate report back to you about any potential data exposure.
More from the Computer Weekly Security Think Tank on free or low-cost cloud storage
The key to feeling safe in the cloud is an information-centric security solution. Encryption is a good way to physically protect your data once it is out of your control, and should certainly be used where data is kept in any publicly available store.
Free or low-cost cloud storage does not have to be insecure. Check with the provider as to the controls used to separate access to data, and whether any system-level encryption is used to protect from physical attack on its premises.
Encryption is a fantastic means of implementing a preventative security control for information in the cloud, but it requires good access control. If possible, you should add an authentication and authorisation layer. Using good governance from the outset retains control of information, access to information and the monitoring of processes around it. Operational security is then paramount, and reporting and testing vital for continued assurance.
Good cloud service comes at a price
One area that may cause friction between your business and a service provider is in security healthchecking. If the provider will not allow you to perform your own checks, ask for assurance that it has done the same. If this is refused, it may be that you should be looking elsewhere – an unknown risk is a high risk.
My last word on this subject is not so positive. Having worked in highly regulated environments as an advisor for private (i.e. not free or low-cost) cloud providers serving a number large businesses, I could not recommend a free solution.
The cost of the solution relates to the contract, which gives you your right to demand a proper service. No cost means little or no contract, which means no recourse, and certainly no provider keen to keep you happy. Always remember that a little skin in the game is a useful control.
Robert Newby is an analyst and managing partner at KupingerCole UK.
This was first published in September 2013