These 10 tips will help you perform due diligence when choosing a cloud computing vendor so you can keep your data and your business operations safe and secure in the cloud.
For related articles, visit Internet.com's Cloud Computing site.
Cloud computing can represent a net gain in data security and system reliability especially for small businesses with aging computers and data stored on hard drives that rarely -- if ever -- experience a back up.
But that doesnt mean you can take security and reliability for granted. Protecting your company in the cloud requires careful due diligence and planning. Start here with these 10 cloud computing security tips.
1. Identify and Assign Value to Assets
Assets could be include applications such as customer relationship management (CRM) or accounting; data, including private customer information; or infrastructure such as hosted servers and operating systems.
The Cloud Security Alliance (CSA), an industry association set up to promote security in the cloud, recommends a structured, step-by-step approach to planning and managing cloud security, and this is where it starts.
Ask yourself how valuable the assets that youre considering moving to the cloud are to your organization, said CSA advisor Raj Samani, the London-based chief technology officer for security software vendor McAfee.
What would happen if you couldnt access online software for an hour or a day, for example, or the provider lost your data or hackers stole sensitive information from the providers computers?
Not all cloud providers are the same, Samani noted. If you assign a value to your assets, then its easier to decide what level of security youre going to need.
2. Assess Your Liabilities
One of the biggest cloud security concerns is the risk of breaches resulting in loss or theft of sensitive private data. If the information leaked is proprietary only to your company, liability is not a concern. But you need to know where responsibility lies if customer or patient information goes missing.
If theres a breach and data is lost, its not the cloud provider who is on the hook, saed James Quin, lead analyst at Info-Tech Research Group Inc. Its the way all the regulatory bodies are coming down on this. You collected the data and chose how to store it. So youre on the hook if something goes wrong.
In other words, caveat emptor -- let the buyer beware. And in this case, youre the buyer.
3. Research Compliance Requirements
In some industries -- banking and health care are examples -- government or industry regulations establish standards for how electronic data is handled, including stipulating the level of security in place. You may not even be permitted to use cloud services, or there may be restrictions, such as the data must be stored within the borders of your own country.
The number and type of security controls in place may well be defined by regulation, Samani said. If youre processing credit card transactions, for example, you may need to comply with PCI-DSS standards. Long before you engage with potential providers, you need to build a list of regulatory requirements for security.
Even if nothing ever goes wrong security-wise, failing to comply with regulations can land you in hot water.
4. Determine Your Risk Tolerance
These initial steps all play into this admittedly somewhat nebulous, but pivotal, next step. How much are you willing to risk, how much can you afford to risk -- given the liabilities, the regulatory requirements, the importance of the assets to your organization?
Based on the level of risk Im willing to tolerate, do I, for example, have to look at a hybrid cloud solution, Samani said referring to a cloud implementation that involves some data or program logic remaining on your business premises.
The other critical consideration is the cost of ensuring security, whether in the cloud or at your own offices. The more security controls you demand from cloud providers, the more expensive their services will be, Samani said.
But if we could give any advice to small businesses, it would be to not necessarily accept the lowest-cost solution, he added. Cost is not the only thing [to consider].
5. Research Potential Providers Processes
With this preparatory work behind you, its time to start assessing whats available in the cloud services market.
You can begin by studying their marketing literature, but to find out in detail how the service works -- where and how data moves and where it resides, what security controls are in place by default and the extent to which the provider is willing to tailor a security solution for you -- you will have to talk to them.
Ask a lot of questions.
You will need to know what types and levels of encryption the provider can offer to ensure that even if data is leaked it cannot be read. Encryption is the key protection against security breaches that can result in loss of sensitive data.
You also need to know about the providers business continuity provisions. What happens if its main data center burns down? Does it only have one data center? In how many places does it store your data and how? Ask about security monitoring and auditing processes, and what kind of reporting the provider does. If there is a breach, will the company tell you?
Samani admitted that small businesses may be daunted by the complexity and rigor of the due diligence around cloud security his organization recommends. And for many, he said, hiring a consultant to help them with it will defeat the cost-saving purpose of considering cloud services in the first place.
But all this work will make life a lot easier later, Samani said. After the implementation, it will be much more complicated and expensive to make changes. So you need to map everything out in advance.
6. Ask About Security and Reliability Certifications
One way small businesses can short-circuit due diligence on providers security controls is to ask about various certifications they may have, or look for mention of them at the providers website. By considering only those providers with documented, verifiably sound security practices may eliminate some of the need to delve deeper.
The CSA itself has developed a certification program under its Trusted Cloud Initiative, which some providers are beginning to use, Samani said. There are also more general certifications that any organization can get, not just cloud providers, such as ISO27001 Information Security Standards and ISACA IT Audit, Security, Governance and Risk Certification.
7. Build Security Controls into the Contract
This is where the rubber hits the road. With any cloud service, you will be entering into a contract. The provider may not be willing to negotiate anything, or may not be willing to extend much flexibility to smaller customers. At the very least, you need to carefully study the contract language as it relates to security controls.
And if the provider is willing to negotiate, you need to establish in the contract the type and level of encryption to be used, where and when -- all determined by the analysis in earlier steps -- and the safeguards against data loss to be used, such as redundant storage.
You may also be able to negotiate the right to audit the companys facilities or security practices (although the cost of doing so may be out of the price range of many small businesses.)
Many cloud providers will never give the right to audit, Samani acknowledged. And the more security you ask for in general, the more the cost is going to go up. But we suggest asking for the right to audit.
8. Negotiate Service Levels and Exit Strategies
Security in the cloud is not just about protecting data. Its also about ensuring your own business continuity. Your ongoing operations may now utterly depend on being able to access a cloud service. What happens if the providers service is unavailable for a short or a long period?
Some providers will negotiate a service level agreement (SLA) specifying uptime percentages and the time to respond to trouble calls. SLAs may include financial penalties, often a discounting of service fees, if the provider fails to meet the terms. The stricter the terms, though, typically, the more you will pay for the service.
Its also important to ensure that youre not locked in to the providers service so that its difficult, expensive or virtually impossible to disengage and take your business and data to a different provider in the event you become dissatisfied or find a better deal.
And try to pre-negotiate the terms for changing contracted services in response to changes in your business to guard against prohibitively expensive fees for doing this.
9. Pursue Offline Security Measures
As Quin pointed out, one of the problems with moving to the cloud is the loss of control over your security profile. But in some cases, it may be possible to preserve some control -- by using offline backup of data stored in the cloud, for example, or preserving the right to control encryption keys so that in the event a providers system is compromised, there is no possibility of keys falling into the wrong hands.
10. Read the Cloud Security Alliance Guidance Document
The CSA has prepared a detailed document outlining the due diligence it recommends companies undertake when considering moving applications and data into the cloud. Read it, and follow it to the best of your ability.
Gerry Blackwell is a freelance technology writer based in London, Canada. Read his blog, AfterByte
Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today! |