Stay Ahead of Hackers with Smart Cloud Implementation
When moving your business’s IT to the cloud, it’s smart to perform due diligence—not only on the potential cloud service provider (CSP), but also on your own company's needs, practices, and restrictions.
Once you determine the risk parameters of your assets, evaluate or map what the potential access points might be if you shift to the cloud. Can all your data go on the cloud? Should more sensitive data remain under your own IT department's control? Is there an international component to the data transfer? This will help determine the type of cloud security the business may need, as well as demonstrate inherent weaknesses in its security protocols.
Map the flow of data, including how it would run from your business to the cloud service and to any other customers or locations. What are the exposure points?
Also map the security controls you plan to use to mitigate all security risks, independently of whether they will be executed by your organization or the CSP.
In a report by the Cloud Security Alliance titled "Security Guidance for Critical Areas of Focus in Cloud Computing V3.0," the authors wrote, "[The company] should determine whether its business model allows for the use of cloud computing services, and under which conditions. The nature of its business might be such that any relinquishment of control over the company data is restricted by law or creates serious security concerns."
Then, when contracting for the cloud service, it's important that everyone involved understands—and that it's spelled out in the contracts—who is responsible for what, broken into zones of responsibility when it comes to security. It's a very good idea to have your company's own IT people perform a physical and procedural audit of the cloud provider's facilities; they can have all the internal controls in the world, but they'll be wasted if the door to the server room is unlocked with a list of access codes posted next to the keyboard.
In an ideal world, you would be able to regularly audit the CSP's procedures and facilities to guarantee continued security compliance, but that's not really practical in the real world. A more realistic plan is to arrange regular contact between the IT department and the CSP to review CSP security procedures and facilities.
With discipline, thought, and preparation, moving to the cloud can be an efficient and cost-effective way to expand business operations. However, as the Cloud Security Alliance report notes, "the responsibility for protecting and securing the data typically remains with the collector or custodian of that data, even if in some circumstances, this responsibility may be shared with others. When it relies on a third party to host or process its data, the custodian of the data remains liable for any loss, damage, or misuse of the data."
So be ready:
- Know yourself: Understand your risks.
- Know your enemy: Model your threats.
- Prepare to engage: Verify your security procedures and make a plan.