By Andy Cripps,
IT and Security Manager, Quicksilva
The Cloud as a concept has seen a major uptake by SMEs over the past few years, with many looking to take advantage of the flexibility, scalability, resilience and cost benefits that the Cloud can offer. The computing as a service industry in the UK alone is worth 2.4bn (1) and with the sector still growing it looks set nearly triple in value by 2014.
Despite the obvious enthusiasm for these remote hosting services, there are a number of businesses that are hesitant about the security risks involved in migrating to or establishing new Cloud based services. Given that, now more than ever, security of data is paramount to an organisations reputation. It is critical that the right decision is made about where and how data (especially sensitive data) is stored. If it’s leaked or lost it can be devastating for your organisation; outsourced data is still your responsibility.
Problems can start with the data storage location, as it might not be immediately obvious to you where the underlying storage layer is geographically located. If this is outside of the country you operate in you will need to ensure that the way that sensitive data is stored and processed complies with the law and regulations of the country from which the data originates.
Then you have the issue of understanding how your data is protected from unauthorised access. For example, do the service desk team have their access to your data controlled, logged and audited to prevent them from taking a look at your data when nobody else is around? You also have to factor in other supporting bodies, as it’s likely that your provider will outsource some functions such as networking, storage or backup services. Again, control layers need to be applied to these 3rd parties. So much focus is put on clear external factors, such as hackers and unauthorised intruders that these partners/providers may be over looked as potential adversaries. Of course the majority of enterprise level Cloud providers strive to ensure that data is protected from end to end, however there are so many levels that can be overlooked or missed.
So how do organisations that are looking to leverage the benefits of the Cloud gain an acceptable level of security assurance to satisfy internally identified risks and external regulatory and legal requirements? Firstly try to find a security conscious provider, one way a provider can demonstrate this is by being awarded the ISO 270001 standard. This essentially shows that they have an understanding of and comply with information security best practices, and follow these in the way that their staff and partners interact with your data.
Be wary though and ask for the scope of the accreditation, it’s not uncommon for providers to have the standard applied to their service desk team, but not their outsourced datacentres. Also some providers may have merged with or acquired another company that has been awarded the standard, but not applied the standard to the wider company. Ideally the scope should apply to all aspects of the service you are being supplied with.
To bolster security further some Cloud providers offer encryption of the data layer. This is an excellent way to ensure that your data is not being accessed when offline or when distributed to other locations such as backup/archive. If the provider does not offer this there are 3rd party software suppliers that do. Encryption does not have to end at the data layer, if possible it should also be applied to all data when in transit, whether to an end user or online data replication/backup.
Otherwise ensure that the contract you are signing with the provider offers a level of security assurance that you are satisfied with, and also ask that the provider complies with your own policy.
As the Cloud sector matures, security of data will become more standardised, certainly authorities are starting to take the lead in setting security expectations, with the ICO (2) reminding suppliers of the security obligations and the EU commission planning to replace the outmoded data protection directive with the new EU data protection regulation by 2014 (3). Other organisations such as the Cloud Security Alliance (CSA) and Cloud Industry Forum (CIF) are also striving for standardisation, however with this maturity will have to come more transparency in terms of how the service is supplied to the end user.
Andy Cripps is a Certified Information Security Manager (CISM) and operates as IT and Security Manager for Quicksilva, a UK-based supplier of messaging and integration services and solutions to the healthcare market.