Of course you’re concerned …
The tabloids are abuzz with tales of hackers stealing salacious celebrity selfies stored on the Cloud, and of course the furor dies with next week’s issue of People Magazine. The thought of Cloud based business data being compromised is a different matter, and you’re right to be concerned about ubiquitous computing resulting in ubiquitous hacking attempts. Fortunately, efforts to secure the cloud are maintaining the pace of the unprecedented growth of the cloud itself.
Now for the good news
The need to modify infrastructure to meet the alphabet soup of compliance regulations (SOX, GLB, HIPPA, FISMA) is already a reality to the vast majority of enterprises, and valuable time and resources are used that take away from their core business efforts. The good news is that security is one more IT function outsourced to your Cloud Service Provider, and that the provider has more resources to deal with security than your business. The learning curve that comes with the design, implementation, and maintenance of data security (which most enterprises already are involved in) are the responsibility of the service provider, who deals with them on a daily basis.
The benefit of delegating this responsibility to the Cloud Service Provider will increase in value as regulation becomes more exacting in implementation and scope. According to a survey by the nonprofit Cloud Security Alliance (https://cloudsecurityalliance.org), 73% of respondents call for a Global Consumer Bill of Rights concerning Data privacy. Anyone who has dealt with modifying their infrastructure for data privacy knows the value of outsourcing the details of this effort!
Who’s setting the standards?
As cloud technology matures, so do best practices and standards. The Cloud Security Alliance promotes “the use of best practices for providing security assurance within Cloud Computing”. The Board of Directors includes CXOs of Microsoft, Coca Cola, Sallie Mae and Zynga. The CSA’s Cloud Controls Matrix contains 269 standards covering every aspect of Cold Security implementation, operation and maintenance, including Data Security, Audit Assurance, Business Continuity, and Access, Threat & Vulnerability Management. The standards document is available at https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
What Questions should I ask of a Cloud Service Provider?
In short, your expectations for a Cloud Provider are the same as those you are expected to implement in the traditional IT space. The Financial Times of London recommends asking the following:
Where is the Physical location of the data?
Who has access the data?
How is data encrypted and authenticated?
What policies are in place to handle security breaches?
What are your procedures for transferring service to another provider should that be necessary?
The evidence of the benefits of Cloud Computing are overwhelming, and the marketplace has responded. According to iCorps Technologies, 2014 is the first year the majority of computing workloads take place in the cloud (51% versus 49% in the traditional IT Space).
If you are working in the tradition IT space, you are already dealing with security issues, and with the pain of a learning curve. As Cloud computing becomes the rule and not the exception, security issues will migrate to providers with resources and expertise beyond that of most organizations – and give you one less thing to worry about.