The good news for organizations considering a move to the cloud is that security issues are diminishing. The bad news is that concerns remain. A recent darkReading article shared that for small to medium businesses, security was the biggest reason for those electing to not go to the cloud and also as the biggest payoff for those that did. What makes the biggest difference in confidence levels comes down to which applications are being considered for the cloud? Financial content, as an example, will be more risk sensitive. The most popular applications according to ClickZ are related to file sharing and business productivity with customer resource management, marketing, social business and collaboration on the rise.
In a Network World piece, Gartner noted that its clients are almost universally disappointed with contracts they find as being incomplete with respect to security specifics. Several groups are working on standards including our federal government with the FedRamp program for their providers. The Cloud Security Alliance (CSA) and the American Institute of Certified Public Accountants (AICPA) are involved, but their impact on standards is thought to be a year or more away.
So, after you identify the right application candidates, what’s next?
Here are some basic suggestions to boost your confidence if you think you are ready to get off the fence about getting cloudy. Or maybe you already have a provider, but need to tweak your relationship. You have to verify that your internal mindsets are established where your business managers accept responsibility for the ownership of the data, and your IT managers are prepared for their in-house control and flexibility becoming different (not necessarily out-the-window). Once that’s in place you need to consider:
- Providers with broader capabilities will help you avoid cloud silos and multiple contracts.
- Of course you are going to encrypt all your data, but be sure not to let the inmates run the asylum – don’t let the provider manage the keys, and have proof from the provider that deleted data is really deleted.
- Employ two-factor authentication to confirm identities.
- Implement authorization policies that provide for absolute minimum data access to do the job.
- Consider use of a third party for compliance help. The provider is accountable to you, but you are legally responsible.
- All transactions need to be monitored and recorded for control validation and resolution/ documentation in the event of a breach.
- Geographic/country legal issues related to data movement and ownership must be specified.
- Establish service level agreements with definitions and penalties related to data and system availability.
- Understand their disaster recovery and business continuity plans inclusive of replicated data centers.
- Clouds can evaporate and your business needs change. An exit strategy needs to be included in the contract.
Spending some time on these things before you take the leap will pay dividends and in the long run and should have you spending less time on security while better protecting your data.