Security is a big concern for any form of cloud computing. You will be asked to take all of your files and records and store them in someone else’s computer system. You will not own the computer system and you will not usually be able to see it. At some level you have to trust the company who will store your data to protect it properly, but there are things you can do and questions you can and should ask.
There are 4 basic security risks you face in any computing environment:
- 1. Unauthorized people will see your company data.
- 2. Unauthorized people will see your customer’s data.
- 3. Your data will be lost or corrupted.
- 4. Unauthorized people will use your resources.
In cloud computing these risks increase for the following reasons:
- 1. Shared resources – your data is on the same hardware in the same building as many other companies. Because of this concentration of data, the cloud provider’s site is much more of a target than your company alone. If someone can crack into this computer, they can get access to a lot more information.
- 2. Public networks – since all of your data will now be moving back and forth between you and your provider over different networks, some public and some private, your data is at risk of being compromised as it travels on the networks.
- 3. Loss of Control – once you move all or part of your systems to the cloud you will have to rely on many vendors to do their part in securing your data.
Even though you will be outsourcing operations to a cloud provider, you will still need to have policies and procedures in place to ensure security. You will need to work with your IT services company to choose password complexity, change of password policies and access permissions.
Ultimately, security of your company data is your responsibility, you should not simply rely on a provider to do it. You should rely on them to do what they say they say that are going to do but you need to ask the right questions and get the right answers.
Here are some questions you can ask any cloud services provider:
- 1. Who will have access to my data, how many different people will be able to access it? Are they administrators with access at your company or a third party or both? What about the third party? What access do they have?
- 2. What about regulatory and industry standards compliance? Does the provider’s system comply with all of the things you need to comply with?
- 3. Encryption – what kind will be used? Has it been tested? Is the data encryption protecting the data all along the path to and from your provider and your end users? How?
- 4. Data Location – Where is your data actually located? How many different places? Are they in the US? If not, what are the ramifications of that – do you lose or gain privacy from government or other access to your data?
- 5. Recovery – Is there redundancy in the system? Do not assume this – most will have it, some will not. Is the system backed up regularly? What is the exact procedure to restoring the system? How long will it take to restore service in the event of major crash?
- 6. What happens if the Cloud Provider goes out of business? – The cloud provider will not be of much help here, you have to walk yourself through this scenario and plan for it. This can happen to big companies and small companies and when it does, they will not care about you and your problems. This is why I always recommend that you have copies of your data on hand somewhere at all times – backup the backup. You should have your IT provider document this process and think about what will happen ahead of time. It may never happen, but you never want to put yourself in a position of relying solely on one resource.
There are many more issues and details that we could get into concerning security and backup, but this is a start. You will need to have your IT Provider explain all of these issues to you until you are comfortable that your data is secure.
