Public Cloud Security Benefits and Risks
There can be no doubt that technologies such as SaaS, PaaS, IaaS and other cloud services can deliver a great ROI. The reduced cost of ownership of cloud services make them incredibly attractive. This is especially true of public cloud services that offer cloud access using a public facing internet connect hosted on shared architecture.
Think about that for a moment. Private company data being sent across the internet. And then being stored and processed on hardware that is shared by many cloud customers. It doesn’t take much of an imagination to realize that there could be serious public cloud security risks in working in this way.
Below is a basic public cloud security checklist. It can be used when evaluating cloud vendors.
- Ensure compliancy – any cloud vendor worth its salt will comply with legislative requirements within the market they sell in to. However, don’t just take their word for it. Some providers imply compliance, when in reality they are relying on the compliance of another vendor who provides them services to resell. Check and ensure the actual vendor takes compliance seriously.
- Perform an audit – a reputable cloud vendor will be entirely open to the idea of an audit. This audit should cover both the technology being offered, and also the business processes the vendors uses to manage and maintain those services. Make passing a regular audit part of the contractual terms.
- Define responsibilities and roles – once a suitable cloud vendor has been found, roles need to be defined. Clear boundaries need to be set, indicating exactly what the vendor is responsible for. In a similar fashion, the buyer will define their responsibilities. Ideally, these responsibilities shared between the buyer and the vendor will meet seamlessly.
- Deploy and enforce proper data protection standards – this is a fairly inward looking touchpoint. It involves making sure that employees and the technology they use are using proper security technology. This means SSL encrypted connection, robust password policy, and other best practices.
- Put public cloud security policies in place – so that the business and the vendor know exactly what the processes are that drive security. Not only in preventing security breaches, but also how they are dealt with should they occur.
- Monitor physical security – such as how premises are secured to prevent nefarious access to secure equipment. Also the setting up of device logging, for moveable devices such as tablets and laptops.
- Monitor the SLA closely – ensure that the cloud vendor continues to comply with all of the requirements that were stipulated in the contract terms. This is an inside out activity, that the business will be solely responsible for.
- Have an exit plan in place – should the chosen cloud vendor fail to maintain data security in an effective fashion. This means having plans to move company data to new infrastructure and maintain business continuity.
For more considerations on what to consider when evaluating a cloud vendor, read the white paper Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign.