Cloud security is becoming more and more important as a variety of businesses seek to move their software, applications and infrastructure online to cloud computing based solutions. Cloud is becoming the normal way for businesses and customers to interact and exchange information. In this article I want to examine the risks of cloud computing and how cloud security plans and processes can help business mitigate these risks and maximise their value from the cloud.
Types of cloud services
Cloud computing can generally be divided into three types of services:
- Software as a service (SaaS) – software hosted in the cloud (such as Office 365)
- Infrastructure as a service (IaaS) – virtual hardware and infrastructure (such as Dropbox)
- Platform as a service (PaaS) – online platform that allows customers to develop, run, and manage applications in the cloud (such as AWS Elastic Beanstalk)
A cloud environment can be:
- A hybrid of public and private.
Private cloud adoption increased from 63 percent to 77 percent in 2016 and over 95% of those replying to the RightScale survey indicated they were using or intend to use cloud services this year.
Benefits of cloud computing
When done right cloud computing has a number of benefits. Some of the most important are:
- Lower cost – often there is no upfront cost of procuring hardware and software and the customer can ‘pay as you go’ on a monthly service fee.
- Always on – the customer can access the cloud services anywhere at anytime provided they have an internet connection and a computer or mobile device.
- Scalable and flexible – cloud services are flexible and scalable so the customer does not have to pay for parts of the service and expensive infrastructure that it rarely uses.
In a similar way to all IT services there are risks and benefits to cloud computing that each customer needs to consider in the context of its own circumstances and the particular offering from the cloud services provider.
Cloud risks and due diligence
Many governments and businesses are recognizing that the cloud is the future. The UK government has recently adopted the G Cloud procurement model for its IT services. This rapid adoption of new technology with global availability presents new challenges. Some of the risks are inherent in the cloud computing model and others are present in both cloud and traditional IT procurement and outsourcing models.
Broadly, paid cloud services will offer better cloud security and encryption options than free services. Although the challenges of a multi-cloud environment can take some getting used to, it may be prudent for a customer to use multiple cloud providers to reduce some of the risks of putting ‘all of its eggs into one basket’.
Regardless of the cloud model, all customers should undertake sufficient due diligence on the proposed cloud provider before signing a contract and uploading the customer’s data to the cloud.
Cloud security and contracts
Some of the risks that a customer can address in the services contract with the cloud provider include:
- Availability – The customer should ensure that it has access to its data stored on the cloud service when it needs it. These may be by way of service level (SLA) guarantee in the contract. The cloud supplier should provide copies of its backup and disaster recovery plans and procedures on request.
- Security and unauthorised access – The customer should check if the cloud provider supports firewalls, secure password protection and data encryption (either customer encryption or an encrypted cloud service). Even with these safeguards, the customer should be careful before making the decision to store confidential or sensitive documents on the cloud. As the data may be stored, transferred and backed-up in different cloud servers across the globe this can present privacy law compliance challenges for customers.
- Data breach procedures – If something does go wrong the customer will want to minimise its exposure. The cloud supplier should be able to react quickly and isolate the problem. In Ireland the Data Protection Commissioner has approved a personal data security breach Code of Practice to help organisations to react appropriately when they become aware of breaches of security involving customer or employee personal information.
- Governance and oversight – The customer should consider if the cloud provider is permitted to sub-contract the processing of data. If the customer requires any audit rights these should be set out in the contract. The contract should also clearly address the circumstances under which the cloud provider can release the customer’s data stored on the cloud.
- End of contract issues – The customer should have a right to remove or transfer its data away from the exiting cloud provider back to the customer’s systems or to migrate to a new provider. The contract should state if the outgoing provider has to offer migration assistance and whether this is included in the charges or subject to additional charges.
5 point cloud security plan for businesses
Exigent Networks, a network security solutions company based in the Republic of Ireland, has produced the following infographic. The infographic contains a five-point plan that businesses can follow in order to maximise the security of the data that they store on their cloud.