In June 2010, the Law Journal Newsletter published an article by Nextpoint CEO, Rakesh Madhava entitled: “Cloud-Safe: 10 Things you Should Know about Cloud Computing Security.” According to the article, “Security issues are the key barriers to adoption for cloud computing. “ A year later and this hasn’t changed. The greatest hesitation is a lack of knowledge surrounding security within cloud computing. The article defines the top 10 security issues and best practices for selecting a cloud provider based on security. We thought it was still relevant, and due for a re-post.
1. Physical protection
• Hosting in facilities with extensive setback and military grade security with tightly controlled access is a must.
• These facilities must include state of the art intrusion detection systems, video surveillance and multi-factor authentication.
2.Who has access?
• The delicate balance of accessibility and protection means that not only can no one else access your confidential data, but it also means that you can access it– easily, simply and with optimal “up-time.”
• Necessity for a stringent and effective organizational password policy. Companies greatest security vulnerabilities lie in the strength of their passwords!
• The ability to generate an audit trail of who accessed the data, when and from where is also of the utmost importance.
3. Where is all my data?
• Where does all of your data reside? You must be able to accurately and completely account for all of the data in your organization.
• Data mapping and having a current, accurate and defensible assessment of the organization’s data stores is mandatory.
• At a minimum, your cloud vendor should be certified as SAS70 Type II compliant.
• Compliance requirements should be addressed based on organizations specific needs.
5. Jurisdiction concerns
• Your vendor should be able to restrict jurisdiction of data.
• Following that logic, the Geo-Redundant data should also be stored in the same jurisdiction.
6. Encrypted transmissions
• In the cloud model, all data and applications reside in the cloud. Users gain access to the cloud via a Web browser and Hypertext Transfer Protocol Secure (HTTPS).
• HTTPS gateway is the sole access point to secure data in the cloud and should employ the highest encryption standards available (256-bit encryption).
7. Data mobility
• When an individual takes his or her laptop off-site and accesses the LAN via a VPN connection, security risks multiply.
• The difference from a cloud data center is that any piece of hardware pulled out of a LAN retains a small portion of the data on its drive. Now you have a machine containing confidential data and local applications free-wheeling outside the secure firewall — your risk level just escalated.
8. Notifications, data recovery and business continuity
• Ask providers the following questions (any cloud provider should be able to offer specific answers to these questions without vagaries or equivocation):
- What is your data recovery and business continuity protocol?
- Is it published and audited?
- What testing provisions are in pace to proactively protect against intrusion?
- How and when are you notified if a security breach is recognized?
- What percentage of data could be recovered?
- Are there audit procedures to verify who accessed the data?
- Has deleted data actually been successfully deleted?
9. Service Level Agreements (SLAs)
• Most vendors offer an “up-time” guarantee very near 100%. Make sure to understand exactly what that means and what compensation will be for downtime.
10. Long-term viability
• Ask yourself, what are your projected needs and capacity? How quickly can you scale capacity and capabilities to manage additional new data types? What plan is in place to manage and access the data through changes in technology?
Rakesh concludes his article by suggesting that some of the trepidation about “going cloud” stems not from concerns about data security, but rather from decision makers being entrenched in the standards set by industry tradition and a herd mentality. But as we have seen with all of those preceding technologies, there may be a price to be paid for those unwilling to embrace inevitable changes in technology.
For the full article: Cloud-Safe: 10 Things you Should Know about Cloud Computing Security