The most important questions that need to be answered when thinking about the security of cloud services are:
- What are the business benefits that my organisation is seeking to achieve?
- What are the risks that my organisation is prepared to accept?
There is no absolute level of security from IT services, no matter how they are delivered – security is always a balance of risk versus reward. What is best for your organisation follows from the answers to these questions.
If you want more help to understand the risks, the Cloud Computing Risk Assessment from EU cyber security agency Enisa outlines the main risks for an SME adopting a cloud service. This identifies 23 risks, of which eight are likely and would and have a high impact. Consider these risks in the context of your business – Isaca provides a work programme that can help with this.
The first step is to classify the data and applications that you are moving to the cloud in terms of their criticality to the business, the sensitivity of the data and the extent to which they are subject to laws and regulations. Then you need to choose a cloud service that can support the level of availability, security and compliance that is needed to meet these needs.
Make sure you understand the cloud service contract. Beware of standard terms and conditions and consider carefully when to accept them. If the standard contract satisfies the business needs, that is fine. If not, accept nothing less than you would from your in-house IT. If the cloud service provider will not negotiate, consider going via an integrator.
Choose a cloud service that provides independent certification of its security and other parameters that are relevant to your business needs. Things to look for are ISO/IEC 27001 certification and SOC 2 attestations, but make sure you really understand what the certifications mean and what they cover.
Finally, trust but verify. Using the cloud inherently involves an element of trust between the organisation using the cloud service and the cloud service provider. However, this trust must not be unconditional and it is vital to ensure that the trust can be verified.
Mike Small is member of London Chapter ISACA Security Advisory Group and an analyst at KuppingerCole.