One of the arguments I hear over and over again with regard to cloud computing is that entrusting your enterprise secrets to the stewardship of a cloud service provider does nothing but relinquish your control over your information, which will inevitably lead to bad stuff happening.
In some cases this makes me laugh while in others I feel my toes curling in my shoes. Loss of control is by far the least compelling argument I’ve heard as to why cloud services might not be for your business.
I ask you this - how much control do you have today? Most people have no idea. Do you really know what every administrator is doing, whether on the payroll or a subcontractor with a privileged account? Could the bios in your laptop be potentially untrustworthy, Lenovo?
How do you know a competitor or hactivist isn’t lurking in plain sight in your security team or even your executive team? How about network configuration: who manages those tricky configuration files on all your switches and routers, and do they notify you every time they make a security-relevant change? Are your operating systems fully patched and up-to-date?
Do you oversee the quality control in the development process that created the code used in the browser you use to surf the internet?
Just last month we had yet another SSL vulnerability that had us all scrambling for the big red update button, so who’s really in control?
The real question should be: is our data any worse off when it’s in the cloud as opposed to your own data centre (that may or may not be 30 years old and built on a flood plain).
The reality is that cloud has become the new IT services model and we need to embrace it. Cloud providers understand that security is fundamental to their offerings as it can literally make or break them.
If Salesforce or Amazon repeatedly suffered breaches or major outages, you wouldn’t touch them with a bargepole. They need to be better than the rest and better than what you can do yourself.
As such, they are providing services with more security than the majority of users need; just take a look at the Amazon Web Services security site to get an idea of what they have provided to assure you that they can keep you safe.
If you happen to store your prized customer database on an old Windows 2003 Server in a back room in head office, what happens after July 15th when Microsoft stops sending you security patches?
If you weigh it up and decide cloud is for you, just remember to do some due diligence before you dive in.
Aside from the standard questions about the service; there are some vital security questions you can push vendors' way to see how serious they really are:
- What certifications do they have? Certs don’t make them great, but it shows they have done enough to meet the demands of an external audit – which in itself is some level of assurance. Look at the audit scope and ensure it’s comprehensive. If it’s limited to just one part of their service, walk away. They are unlikely to care that much about security and have done the exercise just to make them sound as good as the next guy.
- Where will your data be stored? What happens in the event of a continuity incident? You don’t want your data going offshore even if they have a major catastrophe.
- What rules do they play by? If it’s an American company, it may be bound by the US legal system, hence allowing the FBI or CIA unfettered access to your data.
- How much auditing do they do? And how much will they provide to you? Audit logs can be fed into your SIEM solution to alert you when bad things are happening, but you might also be content to just get reports for investigation after the fact.
- How do you off-board from their service? Should you decide to leave them, how can you be sure they have removed all your data and not left copies of your confidential information lying around?
This is just a subset of the questions you should be asking a prospective cloud provider; there will always be specific questions to your business that may be more pertinent. Once you get agreement that this meets your needs, make sure it’s all covered in your contract.
You can then focus on mitigating the risks that they can’t handle for you, such as what to do if they go into administration, or if a breach still happens (despite everyone’s best efforts). You’ll still need your communications plan and an incident response capability because bad things inevitably happen.
Using cloud services is an excellent way to reign in your IT spending and ensure you remain as secure as possible, while still gaining the advantages of better uptime and availability.
But like anything shiny and new, there is a downside. Be sensible and treat it like any other service provision and you’ll not go far wrong.
A little sprinkling of due diligence up front could save you heaps of grief later.