Cloud computing, while introducing users to new conveniences and efficiencies, has also given rise to several new outlooks about security concerns. Protecting information that is shared on the cloud becomes a combined responsibility, some security issues must be dealt with at the cloud provider’s end while others must be addressed by the customer or business hosting data on the cloud. What are the differences, and what security measures should you be requiring of your cloud provider?
First, it is important to understand why cyber security has become a shared responsibility; why a business’s data is no longer only in that business’s control. Much of the appeal in utilizing cloud computing revolves around the space, time, and efficiency that is created by having data stored and processed off-site. This is the fundamental, tangible, base layer that makes up the construction of the cloud: off-site infrastructure. Along with the responsibility of creating these hubs and processing data, cloud providers also have the responsibility of protecting the data at this level.
At the other end of the cloud is the application layer, where customers interact with the data on their own platforms. Security is essential in the application layer, as well as the infrastructure layer, as unwanted persons or hackers can access information at either end. However, at this written application layer, control of data, particularly when considering verification of persons accessing data, is taken out of the cloud providers control and rests squarely on the shoulders of the cloud customer.
In an interview with ITProPortal.com, VP EMEA at Alert Logic, David Howorth, acknowledged that “at some point in the stack [of the Cloud system layers], responsibility for providing security shifts from the provider to the customer,” and that shift is as important to understand, as it is difficult to pinpoint: “Customers need to be clear where this boundary lies so that they can take on the necessary security tasks sand not assume that essential functions such as applying operating system patches or monitoring systems for unauthorized users will be taken care of by their provider.”
Talk To Your Cloud Provider
Make security a priority when looking for a cloud provider. Your cloud provider should be able to disclose the security measures they are taking with your data, including what protections they employ to keep the physical data center secure, as well as what, if any, encryption and software is being used to keep your information private. In addition, what back-up plans does your cloud provider have in the event of data loss? Insisting on discussing security measures in detail with your cloud provider will also illuminate the level of care and concern they have for your information. Here are some areas of security to discuss with your cloud provider:
It is important to know who among your cloud provider’s staff will have direct access to your data. While they are managing your information, how much access do members of their staff have to it? Personnel access is a concern across the entire cloud system, but as it involves your cloud provider, it reveals why trusting your cloud IT staff is so important. Your cloud provider should feel invested in the success of your business, and protect your data in accordance, similar to the way hired IT staff in your office work to keep your business running. Having this mutual trust will ensure that only people you know and that know you are managing critical business data.
Physical security of the hardware utilized to store your data involves mitigating risk against the unavoidable and unpredictable. Firstly, how old and reliable is the hardware that your cloud provider is using? Secondly, where is that hardware? Are there any protections built in for natural disasters, weather, human or animal tampering, or electrical problems? While your cloud provider should have physical measures of protecting your data as it exists in their data center, they should also have a full data back-up and recovery plan. To protect against data loss, your data should be stored in multiple locations. If one of their data centers is compromised, do you still have access to your information?
Despite the technical issues that your cloud provider may have, you as the customer must always be able to access your data. Again, a robust data back-up and recovery plan will help a cloud provider make this guarantee. Talk to your cloud provider about what events might inhibit their access (whether these be damages to hardware, power outages, or network issues), and what assurances they have to your data access.
Failure to access your data may result from failures in security anywhere along the cloud system. Whether that failure is a responsibility of your business or the cloud provider, troubleshooting will require your cloud provider’s involvement. As a customer, you need to be sure that your cloud provider will be available during these critical times. Again, a trusted cloud provider will have a vested interest in keeping your business running, and will be available at all times to help.
Often times, personal information such as names, emails, addresses, or credit card information is maintained by a business. If this is stored or processed in the cloud, how is your cloud provider ensuring that it is kept private? Cloud providers should be employing levels of encryption to keep this type of information safe, and should be able to explain who and what enables a person access to this information.
Discussing cloud computing and cyber-security can become a highly technical conversation. However, the human element should never be lost in translation. Investment of finances, personnel, time and ingenuity into protecting information is only as strong as the amount of concern a person has for it. Similarly, the privacy and success of your business is only as strong as the honesty and trust of your entire staff.