What cloud computing network security mechanisms do I need in place to make a success of an outside provider's offerings?
There is a distinct lack of security visibility in cloud providers: "You can't know where your data is, you can't prove that it's being protected and you can't know who's accessing it." according to Robert Richardson, director of the Computer Security Institute.
Cloud computing places the burden of security on the provider, but doesn't relieve you of the responsibility for protecting personal and sensitive data. Therefore it becomes essential to conduct a thorough review of the provider's security to ensure good governance. This means inspecting their information security policy and procedures against proven standards, such as ISO 27001.
You must also ask for proof of their staff vetting and management processes, as well as their technical infrastructure. They must be able to assure you of their data security controls, such as encryption of data, both in transit and at rest. The provider should be able to demonstrate that it conducts regular, independent audits and penetration tests, and be willing to share the results with you. Your contract should also give you the right to conduct audits and tests of your own.
Related Q&A from Peter Wood
When sensitive documents are frequently travelling back and forth between a company and its business partners, email security becomes very important.... Continue Reading
In this expert response, Peter Wood outlines some alternatives to NAC systems, and explains why, sometimes, NAC systems really are the best choice. Continue Reading
In this expert response, Peter Wood explains the difference between database activity monitoring systems and security information and event ... Continue Reading