The cloud is no more or less secure than any other infrastructure deployment method. An IaaS platform can be secure or it can be insecure; the devil is in the implementation details. But the cloud does differ from traditional in-house deployment scenarios in that less information is directly available to clients. The physical infrastructure layer is opaque, logs are not usually available, and other details that IT departments take for granted when they manage physical hardware are not accessible.
Cloud marketing concentrates on cost advantages, scalability, reliability, convenience, and security in general. But, it’s often light on specifics where information security is concerned, so it’s important that cloud buyers do due diligence and ask the right questions.
But it’s hard to know what to ask without knowing what the risks are to begin with. We’d like to discuss four questions that directly address potential cloud security vulnerabilities.
How will you protect my data from physical breaches?
Data is valuable. The risks that criminals are prepared to take can be considerable, and they will exploit any weak link in the information security chain. A provider can have the most up-to-date authentication methods and exemplary data security credentials, but if data is held in a warehouse secured by a rusty padlock and overseen by one security guard who knows nothing about information security, it is vulnerable.
Always ask your provider about the processes they have in place to manage physical access to their server and network infrastructure. They should be able to guarantee that data is held in secure, guarded, and monitored data centers at all times.
Where will my data be kept?
The cloud is fragmented because nations have different legal and regulatory frameworks for data privacy and security. To properly conform to local legal requirements, companies need to know where their data is. The consequences of data being stored under a different privacy regime than expected can be dire.
Data sovereignty should be high on the list of issues that companies address with prospective providers.
Do you implement end-to-end information security processes?
A cloud company is not just its technological platform; it’s also a business with employees, suppliers, offices, and so on. Information security management relies on best practices being followed throughout a business, from hiring to provider vetting.
Cloud providers should be transparent about their business processes so clients can verify the safety of their data.
Have information management security processes been externally verified?
Most cloud companies are honest, but potential clients have a couple of problems. Firstly the one we addressed at the top of this article: most have no idea what they need to know to assess a cloud provider’s security practices. And secondly, providers have every reason to exaggerate the quality of their systems and processes.
External verification is the answer to both of these issues. Information security frameworks and assessment standards like ISO/IEC 27001 exist to give clients peace of mind. Certification by a trusted external auditor provides reassurance that a disinterested and expert third party has done the legwork and been satisfied as to the company’s information security—and a company’s willingness to call in external auditors is a strong validation of their confidence in their platform.
The public cloud is as secure as any other platform; you just need to ask the right questions and make sure that the provider has the right answers.