Security & the Cloud
Critical to enterprise adoption of cloud computing is trust. Without trust, the economics and time-to-market advantages of cloud computing don't even come into play, and enterprise IT simply can't risk moving to the cloud.
Any organisation that chooses a hosting company or cloud service provider must conduct due diligence before making a leap of faith. If you are either considering, or already, hosting or using services in a public or private cloud have you addressed the following seven areas of risk of moving to the cloud as defined by well-known industry analyst, Gartner?
- Privileged user: service providers should have a combination of adequate training plans, character assessments and stringent hiring processes with employee background checks before granting staff access to privileged systems and data
- Regulatory compliance: if you are hosting/using cloud services to gain regulatory compliance, and are under the impression you can handball the hard work and all the risk over to your service provider, remember that it is your data and you are ultimately responsible for it. Check to ensure that your service provider has a good understanding of the compliance you are trying to achieve.
- Data location: do you know where your service provider is storing the data, and its backup data? Do you require that data resides within Australia? Don't assume that just because your service provider has a presence in Australia, that the data will also live in Australia.
- Data segregation: as service providers capitalise on virtualised and shared infrastructure to deliver services, make sure that your data is not being shared with other customers. Don't assume that data segregation is included - ask for an explanation from your service provider as to how each customer's data is segregated.
- Recovery: can you service provider recover from loss of a file, a disk drive, computer system, network outage, power outage, or loss of an entire data centre? If your business must survive you need to ask your service provider about its ability to recover and the service levels applied to its recovery.
- Investigative support: if and when things do go wrong, does your service provider have the visibility to detect problems with availability, performance of security? More importantly does it have the ability to respond and remediate? Make sure that you have visibility of your service provider's incident detection and response procedures.
- Long term viability: Nothing lasts forever, so make sure that your service provider is financially stable, not going to be swallowed up by or merged into a bigger organisation, or not about to be split off into a subsidiary that is poorly funded. These are questions that need to be asked.
If you have not done your due diligence when choosing your service provider get started now - doing so late is better than never. If you don't like the answers you receive then it may be time to look for a new service provider who has already addressed all seven areas of risk.