Tactical Advice

What Your Business Should Know Before Heading to the Cloud

Consider these six security issues before turning data over to a cloud-based service.
This story appears in the Winter 2013 issue of BizTech Magazine.
What Your Business Should Know Before It Heads to the Cloud
Credit: GIS/Veer

“The cloud” buzzword dominates ­discussions these days, with talk about public clouds, private clouds, leveraging the cloud and moving applications into the cloud.

While cloud solutions offer financial and operational benefits, they also bring with them a host of security concerns that organizations must effectively address.

When evaluating the move of data, applications or infrastructure to cloud-based services, business and IT leaders must consider the following security issues.

1. Storage of Sensitive Information

One of the first issues raised by security professionals and functional managers alike when they consider cloud services is a fear that sensitive information placed in the cloud may be inadvertently disclosed to unauthorized individuals. This is a reasonable fear because some cloud services are inappropriate for sensitive information. Any plans to move this type of data offsite should be carefully thought out.

Organizations seeking a solution for sensitive information should evaluate the risk the same way they would evaluate services hosted in their own data centers.

Does the cloud service provide the same level of security control around systems that a business would have if it hosted the service itself? Does it meet a company’s standards for system configuration, ­network security, firewall management, malware management and other security issues? If not, consider taking that service off the table, at least as far as sensitive information is concerned.

Also be careful to make a distinction between public and private cloud serv­ices. Most security professionals would hesitate to place their most sensitive data assets in a public cloud environment where isolation controls may not be adequate to sufficiently segregate company data from that of other customers. Private cloud services, on the other hand, may have security controls in place that rival (or exceed) those in a business ­environment.

2. Compliance in the Cloud

After making substantial investments in IT compliance over the past decade, many businesses are hesitant to consider outsourcing services that involve the storage, processing or transmission of regulated data. That’s understandable. However, the use of carefully vetted cloud vendors can actually reduce the burden of compliance for many organizations by spreading the costs and maintenance of many expensive security controls across multiple clients.

When considering deploying a cloud service in a regulated environment, make sure the legal ducks are in a row. For example, organizations subject to the ­Payment Card Industry Data Security Standard that are considering outsourcing any aspect of payment card operations must ensure that the cloud service provider appears on Visa’s Global Registry of Service Providers.

Organizations subject to the Health Insurance Portability and Accountability Act, on the other hand, must undertake their own investigation of the service provider’s security controls. In many cases, they must enter into a formal business associate agreement with the serv­ice provider.

3. Security Monitoring

Many organizations have built robust security monitoring processes that consume, correlate and analyze security log information created by a variety of de­vices and applications. These processes often leverage centralized security incident and event management systems and rely upon specialized security devices such as intrusion detection systems, file integrity monitoring systems, firewalls and content filters. In many cases, dedicated staff watch these systems on a regular basis to identify potentially malicious activity as early as possible.

It’s essential to carefully delineate the monitoring responsibilities of the cloud provider and those of the business’s IT staff. Perhaps the cloud vendor can provide intrusion detection and prevention serv­ices while the company’s IT staff moni­tors application security using centralized monitoring tools. Put these arrangements in writing and verify them periodically to avoid misunderstandings.

4. Incident Response Duties

Security incidents are among the most stressful events facing an IT organization. Tempers flare, tension rises and everyone is under the gun to resolve the incident as quickly as possible. In such cases, the last thing a company needs is a cloud service provider that hinders its ability to gather information or take necessary actions to eliminate a security threat.

The solution here is similar to that for security monitoring: Be explicit about incident response duties in the agreement with the cloud vendor. Ensure that the vendor commits to providing timely, detailed notifications of any suspected security incidents. Finally, test incident response ­procedures on a regular basis, preferably including the vendor’s staff in the test.

5. Availability of Services

Many businesses turn to cloud technology because the cloud service provider’s scalability and redundancy offers higher availability than the organization could achieve on its own.

To hold a vendor accountable to high-availability promises, outline company expectations in a service-level agreement and include significant financial penalties for the vendor if it fails to live up to the terms of the SLA. Always perform independent availability monitoring to evaluate the vendor’s success.

6. Vendor Viability

The ultimate risk in a cloud environment is that the provider will suddenly close its doors. This is the nightmare scenario that many IT managers sweat over at night — nobody wants to be the one who chose a vendor that later goes out of business. Investigate the vendor before signing a cloud contract.

If the vendor seems shaky, consider bringing in financial experts to evaluate the vendor’s books and assess its viability. Revisit the assessment on a periodic basis to pick up on early warning signs that a vendor might be failing. At the same time, back up company data either on premises or on a platform managed by a third party. Just keep in mind that many cloud vendors use services provided by other cloud providers, so make sure that all claims of redundancy are real.

Overall, avoid making sweeping conclusions about the security of cloud serv­ices. Instead, carefully assess the risks of every cloud service under consideration and determine whether the vendor will be able to meet or exceed the security stand­ards used for in-house systems.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...