Evaluating Your Risks before Moving Data to Cloud Storage
When considering moving their IT to the cloud, many executives feel comfortable handing off all control of security to the cloud provider. Others are not really thinking about security at all, but rather about the costs they will cut.
Neither is a smart way of handling the decision. In truth, when companies move services to the cloud—whether infrastructure as a service, software as a service, or platform as a service delivery models are used—security concerns don't disappear by transferring management to the cloud service provider (CSP).
It’s irresponsible not to concern yourself with how the CSP handles the safeguarding of your information. Determine what security controls the CSP has in place before you move to that vendor, and have ways of auditing those protocols as you proceed.
Who Is Responsible?
Businesses moving to the cloud need to understand who is responsible for each aspect of the cloud environment. Computer security expert John Overbaugh recommends developing an administrative control matrix that evaluates who has access control over each layer of security—in short, who has access to your business's cloud site infrastructures and services.
He recommends asking four specific questions:
- Who is the administrator for the infrastructure?
- Who is the administrator of the system? In other words, who has access to the operating system?
- Who is the administrator for the data? (Overbaugh indicates this as a critical security factor.)
- Who is the administrator for the software running on the systems?
Overbaugh goes on to say that security is best executed in layers. Too often there is a difficult-to-access outer layer with very little internal security at the network level. Once the outer layer is breached, hackers may have free rein.
Ideally, secondary cloud security controls will be built into the system so that they set off alarms if processes are changed by unauthorized users.
Security Risk Assessment
In addition to evaluating the actual security provisions of the CSP (which is actually part of developing an administrative control matrix), it's important that businesses evaluate their own situations.
What factors are currently influencing or may affect the way you use the cloud? Do your contracts with customers have security obligations? Does your business fall into highly regulated areas, such as health care or banking? For example, some regulations require that encryption keys be stored within hardware security modules, which would have an effect on your shift to the cloud.
Understand your assets. How important is data to your business? How sensitive is the data? If there is a data breach, how catastrophic will it be? Be sure to think about and have answers to these questions before making a shift to the cloud.