For related articles, visit Internet.com’s Cloud Computing site.
Cloud computing can represent a net gain in data security and system reliability – especially for small businesses with aging computers and data stored on hard drives that rarely — if ever — experience a back up.
But that doesn’t mean you can take security and reliability for granted. Protecting your company in the cloud requires careful due diligence and planning. Start here with these 10 cloud computing security tips.
1. Identify and Assign Value to Assets
Assets could be include applications such as customer relationship management (CRM) or accounting; data, including private customer information; or infrastructure such as hosted servers and operating systems.
The Cloud Security Alliance (CSA), an industry association set up to promote security in the cloud, recommends a structured, step-by-step approach to planning and managing cloud security, and this is where it starts.
Ask yourself how valuable the assets that you’re considering moving to the cloud are to your organization, said CSA advisor Raj Samani, the London-based chief technology officer for security software vendor McAfee.
What would happen if you couldn’t access online software for an hour or a day, for example, or the provider lost your data or hackers stole sensitive information from the providers’ computers?
“Not all cloud providers are the same,” Samani noted. “If you assign a value to your assets, then it’s easier to decide what level of security you’re going to need.”
2. Assess Your Liabilities
One of the biggest cloud security concerns is the risk of breaches resulting in loss or theft of sensitive private data. If the information leaked is proprietary only to your company, liability is not a concern. But you need to know where responsibility lies if customer or patient information goes missing.
“If there’s a breach and data is lost, it’s not the cloud provider who is on the hook,” saed James Quin, lead analyst at Info-Tech Research Group Inc. “It’s the way all the regulatory bodies are coming down on this. You collected the data and chose how to store it. So you’re on the hook if something goes wrong.”
In other words, caveat emptor — let the buyer beware. And in this case, you’re the buyer.
3. Research Compliance Requirements
In some industries — banking and health care are examples — government or industry regulations establish standards for how electronic data is handled, including stipulating the level of security in place. You may not even be permitted to use cloud services, or there may be restrictions, such as the data must be stored within the borders of your own country.
“The number and type of security controls in place may well be defined by regulation,” Samani said. “If you’re processing credit card transactions, for example, you may need to comply with PCI-DSS standards. Long before you engage with potential providers, you need to build a list of regulatory requirements for security.”
Even if nothing ever goes wrong security-wise, failing to comply with regulations can land you in hot water.
4. Determine Your Risk Tolerance
These initial steps all play into this admittedly somewhat nebulous, but pivotal, next step. How much are you willing to risk, how much can you afford to risk — given the liabilities, the regulatory requirements, the importance of the assets to your organization?
“Based on the level of risk I’m willing to tolerate, do I, for example, have to look at a hybrid cloud solution,” Samani said referring to a cloud implementation that involves some data or program logic remaining on your business premises.
The other critical consideration is the cost of ensuring security, whether in the cloud or at your own offices. The more security controls you demand from cloud providers, the more expensive their services will be, Samani said.
“But if we could give any advice to small businesses, it would be to not necessarily accept the lowest-cost solution,” he added. “Cost is not the only thing [to consider].”