10 Cloud Computing Security Tips for Small Businesses - Page 2

By Gerry Blackwell
  • Print Article
  • Email Article

5. Research Potential Providers’ Processes

With this preparatory work behind you, it’s time to start assessing what’s available in the cloud services market.

You can begin by studying their marketing literature, but to find out in detail how the service works -- where and how data moves and where it resides, what security controls are in place by default and the extent to which the provider is willing to tailor a security solution for you -- you will have to talk to them.

Ask a lot of questions.

You will need to know what types and levels of encryption the provider can offer to ensure that even if data is leaked it cannot be read. Encryption is the key protection against security breaches that can result in loss of sensitive data.

You also need to know about the provider’s business continuity provisions. What happens if its main data center burns down? Does it only have one data center? In how many places does it store your data and how? Ask about security monitoring and auditing processes, and what kind of reporting the provider does. If there is a breach, will the company tell you?

Samani admitted that small businesses may be daunted by the complexity and rigor of the due diligence around cloud security his organization recommends. And for many, he said, hiring a consultant to help them with it will defeat the cost-saving purpose of considering cloud services in the first place.

“But all this work will make life a lot easier later,” Samani said. “After the implementation, it will be much more complicated and expensive to make changes. So you need to map everything out in advance.”

6. Ask About Security and Reliability Certifications

One way small businesses can short-circuit due diligence on providers’ security controls is to ask about various certifications they may have, or look for mention of them at the provider’s website. By considering only those providers with documented, verifiably sound security practices may eliminate some of the need to delve deeper.

The CSA itself has developed a certification program under its Trusted Cloud Initiative, which some providers are beginning to use, Samani said. There are also more general certifications that any organization can get, not just cloud providers, such as ISO27001 Information Security Standards and ISACA IT Audit, Security, Governance and Risk Certification.

7. Build Security Controls into the Contract

This is where the rubber hits the road. With any cloud service, you will be entering into a contract. The provider may not be willing to negotiate anything, or may not be willing to extend much flexibility to smaller customers. At the very least, you need to carefully study the contract language as it relates to security controls.

And if the provider is willing to negotiate, you need to establish in the contract the type and level of encryption to be used, where and when -- all determined by the analysis in earlier steps -- and the safeguards against data loss to be used, such as redundant storage.

You may also be able to negotiate the right to audit the company’s facilities or security practices (although the cost of doing so may be out of the price range of many small businesses.)

“Many cloud providers will never give the right to audit,” Samani acknowledged. “And the more security you ask for in general, the more the cost is going to go up. But we suggest asking for the right to audit.”

8. Negotiate Service Levels and Exit Strategies

Security in the cloud is not just about protecting data. It’s also about ensuring your own business continuity. Your ongoing operations may now utterly depend on being able to access a cloud service. What happens if the provider’s service is unavailable for a short or a long period?

Some providers will negotiate a service level agreement (SLA) specifying uptime percentages and the time to respond to trouble calls. SLAs may include financial penalties, often a discounting of service fees, if the provider fails to meet the terms. The stricter the terms, though, typically, the more you will pay for the service.

It’s also important to ensure that you’re not locked in to the provider’s service so that it’s difficult, expensive or virtually impossible to disengage and take your business and data to a different provider in the event you become dissatisfied or find a better deal.

And try to pre-negotiate the terms for changing contracted services in response to changes in your business to guard against prohibitively expensive fees for doing this.

9. Pursue Offline Security Measures

As Quin pointed out, one of the problems with moving to the cloud is the loss of control over your “security profile.” But in some cases, it may be possible to preserve some control -- by using offline backup of data stored in the cloud, for example, or preserving the right to control encryption keys so that in the event a provider’s system is compromised, there is no possibility of keys falling into the wrong hands.

10. Read the Cloud Security Alliance Guidance Document

The CSA has prepared a detailed document outlining the due diligence it recommends companies undertake when considering moving applications and data into the cloud. Read it, and follow it to the best of your ability.

Gerry Blackwell is a freelance technology writer based in London, Canada. Read his blog, AfterByte

Small Business Computing is on Facebook. Join us on Facebook and interact with the site's editors, post messages, share your small business challenges and successes, discuss technology and suggest topics you'd like covered on Small Business Computing.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Page 2 of 2

Previous Page
1 2
This article was originally published on March 08, 2011
Thanks for your registration