Cloud security - time for some tough questions

Good news... if you are using a cloud based application and there needs to be security patch applied, it can all happen transparently and without you even realising it’s happened. If you use GMail (as I do), then you will have seen...

Share

Good news... if you are using a cloud based application and there needs to be security patch applied, it can all happen transparently and without you even realising it’s happened. If you use GMail (as I do), then you will have seen improvements with the latest upgrade, which is great.

But as those of us who have worked in enterprise IT know, upgrades don’t always go so uneventfully.
 
A recent upgrade with the Twitter service resulted in some undesired effects, including the loss of service for some users. Moreover, there were missing, late and duplicate Tweets. The service was out for several hours. This is not uncommon, and a quick look at the news sees unexpected outages for cloud services as a relatively frequent occurrence.
 
As businesses move towards cloud services, there are new risks that need to be appraised and dealt with. Thinking that a service provider won’t make the occasional mistakes is naive at best and could be disastrous.
 
The introduction of cloud services has had a number of unintended consequences, not least is the abdication of responsibility when it comes to security and availability. When IT is run in-house, security policies are applied and there are known parameters relating to availability. The data has to be secure, the systems free from viruses and hardened against hackers. The data has to be backed up and, if critical, the application clustered and the data replicated.
 
When moving to a cloud service, it is often assumed that security is done by the service provider and that availability will be 100 percent. Of course this isn’t the case. Some providers do offer security and availability options, but it tends to be opt-in rather than opt-out and of course there are additional costs involved.
 
Without asking the right questions it is often the case that data is stored and an application is run on infrastructure you would never consider appropriate if it was in-house.
 
Service Level Agreements can offer some compensation for a service that’s down, but probably not as much as your company might lose. The service being ‘down’ is not necessarily the worst that can happen - the service might be corrupted with this fact going unnoticed. Or what happens if the service provider disappears, as Atmos Online did last month  - along with your data - how quickly can you get up and running on another provider’s service?
 
There are several resources available to help you make the right choice of cloud service provider including: The Jericho Forum's Self-Assessment scheme, the Cloud Security Alliance’s security guidance in cloud computing or ENISA’s cloud computing risk assessment.
 
Understanding what happens in the event of a ‘disaster’ is important - how will the provider work to fix the problem?
 
Cloud based services means greater access to more applications with the opportunity for suppliers to rapidly add and roll out new functionality giving greater value to the customer. But with the new opportunities come new issues; being aware of the risks and having a contingency plan is essential. Forewarned is forearmed.

Author: Guy Bunker, Jericho Forum Spokesperson and Partner, ExecIA LLP




Promoted