Whether you’re a CIO or an executive in a non-technical role, you owe it to yourself to be aware of cloud computing issues—particularly data security.
Fortunately, new industry standards are here to help.
In the previous parts of this series I said the cloud could help, rather than hinder, your organization’s security, and I outlined the responsibilities of the executive team when it comes to assessing your organization’s readiness for the cloud.
In this third and final part, I’ll explain how to ensure that your cloud services are as safe as possible.
The Fine Print
How do you ensure that your cloud provider is fully motivated to provide your authorized users—and only your authorized users—access to your data? And how do you ensure that the data are accurate?
According to a recent report by the European Network and Information Security Agency (Enisa), the best way to secure your company’s cloud-based operations and data is to go through your contract with a fine-toothed comb.
In this case, I’m talking about contract terms that would allow customers to benchmark a set of cloud service providers (CSP). The idea is to make valid comparisons of their security and data-integrity capabilities.
Even the highlights of the Enisa report make for involved reading, but the cloud-computing market is crying out for a standards-led approach for benchmarking a CSP. Comparing the reputations of various CSPs is all very well, but it can be confused by anecdotes and out-of-date opinion.
Enisa suggests a more data-driven approach: a comprehensive, eight-page checklist that should be used prior to signing any contract with a CSP. For example:
- Audit: Do you have a way of comparing records of incidents as experienced by your customers and members of your organization with those reported by the CSP?
- Downtime: Do you know what kind of outages would have the greatest impact on your organization and on your customers?
- Punishment: Do you have penalty clauses that realistically reflect the various costs of the range of possible incidents that might occur?
Data lifecycle management:
- Testing: Does the CSP report how frequently it tests its backups?
- History: Does it specify a maximum age and a minimum rate for data restored from backup?
- Audit: Does it offer logs of backup operations or backup test results?
- Metrics: How does the CSP monitor and manage vulnerabilities?
- Secrecy: How does it ensure confidentiality of vulnerability reports?
- Security: Which types of data isolation does it test regularly? Do those tests include memory? Data at rest? Data in transit? Deleted data?
Coming to an Agreement
Dr. Herbert Thompson, chief security strategist at People Security, carried out an in-depth study of the attitudes of security architects and security executives in large enterprises. They overwhelmingly cited a need for clearer Service Level Agreements (SLAs) with cloud providers.
“Respondents indicated that there was a significant gap, in some cases, between their requirements and the terms that cloud service providers would agree to,” said Thompson. “Many had to shop around before finding a provider that met their requirements.”
Current SLA standards fail in three ways, according to Thompson:
- Existing SLAs tend to be drawn up without reference to specific regulatory and standards requirements. This makes it hard for client organization to clarify whether their infrastructure meets regulatory requirements.
- Some CSPs are resistant to SLAs that would require internal or external audit.
- Organizations don’t write SLAs that mirror the terms they have with their customers.
But now hope is on the horizon in the shape of a “Better Business Bureau” for the cloud. The Cloud Security Alliance is drawing up a new version of its Cloud Trust Protocol (CTP) that will create a clear set of transparent measures that can be applied to all CSPs.
According to senior researcher, Alain Pannetrat, the CTP will allow customers to query CSPs about the security of their service in real time. The information can be used when deciding on a supplier, but also to decide whether a supplier is living up to their promises.
“[CTP 3.0 allows] cloud customers to make informed decisions about the use of cloud services,” says Pannetrat. “Real-time compliance monitoring should encourage more businesses to move to the cloud by putting more control in their hands.”
The Bottom Line
As I’ve written before, cloud computing can be more secure than conventional, in-house data centers. The key to a successful, secure venture into the cloud is to first analyze your risk.
Choose your provider with care. And mind the details when you draw up your agreements.
More industry standardization will help.
Now Read This (more from NetAppVoice)
• Part 1: Are Cloud Data Security Fears Overblown? A Sensible View.
• Part 2: Cloud Data Security: How to Analyze your Risk
• How To Transform Your Business With The Cloud
• Read more from our talented writers