Inherent security risks restrict many from adopting cloud, and every CIO has questions about the security issues around cloud computing. One of the most significant decisions to identify the right cloud provider centres around who will be hosting the applications and infrastructure for your organisation. The following are some of the questions that should be in mind in this assessment and how they can be addressed.
Q: How can I ensure that the security controls followed by the cloud provider are aligned with my organisation's security policy
A: First, the organisation should keep itself abreast of the latest security challenges in cloud computing and ensure that the organisation's security policy reflects that. Ask for your cloud provider's security policy to see how effective it is and query them on their commitment towards client data security in cloud. It is essential to share your security policy with the cloud provider and ask for additional security controls to reflect this if required. This way, putting your data in the cloud provider's environment should not mean compromising your organisation's security policy.
Q: How do I ensure compliance requirements are being met in the cloud?
A: In the first scenario, you have already negotiated with the cloud provider to ensure security controls reflect your organisation's security policy, so half the job is done. Now you need to check that all relevant compliance standards are being followed by your cloud provider.
Every cloud provider should be following certain standards (for example, SSAE 16 (formerly SAS70) for datacentre controls, ISO27001 Standard, BS25559 for business continuity etc) and effective governance. This is just a starting point. It is necessary to highlight the clear compliance requirements of your organisation and the services you are using which should be met.
Q: How do I ensure effective auditing?
A: A cloud provider won't allow you to fiddle with their systems and see what's going on there. However it is reasonable to request evidence of effective auditing and security incident response and reporting mechanisms in place. I have seen that, as cloud providers mature with time, they develop robust auditing mechanisms and are able to share daily reports.
Q: What about SLAs concerning disaster recovery?
A: You need to negotiate the SLAs with your cloud provider for uninterrupted services, rather than assume this to be the case. You can also ask about their organisation's disaster recovery and business continuity approach, to ensure your cloud provider has effective controls in place to ensure availability in case of disaster.
Q: How can I trust the cloud provider?
A: Ask for references from existing customers. Check whether the vendor has any history of frequent security loops, attacks in their environment etc. This Background check will ensure that your organisation's data is going in safe hands and boost confidence in cloud adoption. A background check will mean checking for references, checking on the internet, and professional consulting reports like Gartner, for example.
Q: Do I need a professional, third-party consultant?
A: The development of the cloud landscape, moving as quickly as it is, means there is a lot to figure out and professional consulting companies can help assess the risks and recommendations for cloud adoption for companies who do not already have the internal expertise or available manpower to do. They also bring an outside perspective to the table. Third-party professionals can help with these assessments and can also be valuable in mediations between the cloud service provider and the organisation during contract negotiations.
In conclusion, cloud adoption comes with inherent security risks, but with careful planning and assessment, organisations can minimise those risks and can ensure effective governance.
Munish Gupta, CISSP, is an IT security professional with knowledge of enterprise and cloud security. He is a security architect in the cloud division of Infosys