Last week I spent a full day at the CloudConnect conference in Santa Clara, CA where I heard speaker after speaker both extol the benefits of cloud computing – particularly in the area of managing overall IT costs – and warn about the security dangers that moving to the cloud presents.
In my post last week I talked about Conficker, the largest array of cloud computing resources on the planet with the sole purpose of disrupting normal business operations. The dark side of cloud computing, if you will.
With such a destructive forces lurking in the cloud, businesses must make sure that they ask their cloud-computing vendor a series of security related questions – and get answers that address these concerns – before they deploy their company data to the cloud.
1) Privileged User Access: If your company data is going to be processed outside the safety of your company firewall – i.e., processed in the cloud – you need to get as much information as possible about the people who will have access to your data. Gartner Group suggests that companies, "ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access."
2) Regulatory Compliance: According to the SEC and other government regulators, each company is responsible for the security and integrity of its data even when it’s held by a service provide in the cloud. Cloud computing providers are subject to external audits and security certifications. Those service providers that balk at this type of scrutiny are probably best used for housing only the most trivial company data.
3) Data Location: When you store your data in the cloud, you have no idea where your company’s information is located, or even what country it might be in. Ask your service provider if they will commit to storing and processing your data in specific locations, and if they comply with local privacy laws. Government regulations may require it.
4) Data Segregation: If you store your company’s data in the cloud, it could be stored along side, or even co-mingled with, data from other companies. Gartner Group advises that you find out how your service provider keeps data separate. Encryption can be an effective way to segregate data, but it’s not flawless; and even normal encryption can complicate data availability.
5) Recovery: You may not know where your data is once you’ve moved it to the cloud, but your service provider should be able to tell you how your valuable data would be recovered in case of a disaster. Ask your provider if the data and application infrastructure is replicated across multiple sites, and if they have the ability to provide full restoration in case of an accident; and how long that restoration will take. You don’t want your company's data inaccessible for more than a few hours (and even that may be too long).
6) Investigative Support: Gartner Group warns that investigating inappropriate or illegal activity may be impossible once your data moves to the cloud. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers,” Gartner says. “If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."
7) Long-term Viability: When we bought our house we went through a local bank to get the loan. Within a month, our mortgage had been sold twice, and within a year we were working with a fifth different bank. The same thing can occur when you move your company’s data to the cloud. Do your due diligence. Will the service provider you’ve selected be acquired soon? What if they are? Will your data be accessible? Can you move it to another provider or are you locked in with the new cloud services company? Make sure you can get your data back if your service provider is sold.
These are but seven general questions you should consider getting good answers to before you migrate your company’s data to any provider of cloud computing services. There are likely to be many more questions you will want to ask regarding your company's specific computing needs.