Most, if not all organisations now have some reliance on cloud based services, whether for storage, hosted software or delivery of services to customers.
Get Safe Online's top tips...
- Research and selectcloud hosting providers with diligence.
- Impose strict controls on who can accesscloud servers, and maintain access logs.
- Consider encryption, especially in the case of confidential company, employee or customer data.
Common examples of cloud computing include:
- Software-as-a-service (SaaS) is cloud computing where the software you would normally install on office computers is instead delivered via the internet. It is also commonly known as ‘hosted software’ or ‘hosted applications’.
- Infrastructure-as-a-service (IaaS) cloud computing is where you rent space in a datacentre and use their servers rather than buying new hardware to run your business. A common example of IaaS is website hosting.
- Any type of online data storage or backup uses the cloud to do so.
As well as delivering management and sometimes cost benefits, thecloud also facilitates flexible working practices such as home and other off-site working.
The risks
Whatever tasks or applications you use the cloud for, it is vital to protect your own and any customer data that resides there. Analyst firm Gartner has identified seven perceived risks of cloud computing:
Keeping sensitive information with a third party has inherent risks because you are bypassing your company’s own IT infrastructure and support team.
- Regulatory compliance
Customers are responsible for their own security and data integrity.
- Data location
You do not know where the information is physically being stored; it could be anywhere in the world.
- Data segregation
Your data is stored alongside other people’s data and an encryption failure could make your data completely unusable.
- Recovery
What happens in a disaster? Is the data being replicated?
- Investigative support
Inappropriate or illegal activity might be hard or impossible to investigate.
- Long-term viability
What happens if your provider is bought out or bankrupted?
You can either choose to host applications and infrastructure selectively in the cloud, or opt for a provider who provides a total cloud offering.
Choosing a cloud provider
Research the cloud provider market thoroughly and use only experienced, well-resourced companies who have an excellent reputation and preferably, come recommended. They must be able to help you as your needs change and your organisation grows, understand your business model and demands and be able to communicate with you in a way you understand. The provider should be ISO 27001 accredited, which will ensure that your data is hosted in an environment that meets international baseline information security management standards of confidentiality, integrity and availability.
Protecting your presence in the cloud
Apart from making a wise informed choice of cloud provider, you should observe the following precautions to maintain data safety, integrity and availability:
- Limit access to the cloud servers to those who need it. Maintain a clear audit trail of who has access to what data and when, and a record of who has access to encryption keys (if used). Change encryptionkeys if employees leave the business.
- Ensure that any customer data stored in the cloud is either encrypted or hashed in such a way to make it unusable to unauthorised users. Many large and small organisations have faced legal action for failing to adequately protect data when their cloud based services were hacked.
- Keep development and live environments separate to make direct access from development servers to live data impossible.
Cloud hosting contracts
You should have a cloud hosting contract that clearly defines:
- What exactly your provider will do for you (and what they expect you to do for yourself).
- A schedule for any project work that will be undertaken (such as how long will it take to install a newserver).
- A service level agreement – how quickly and to what level they will respond to and fix problems.
- A clear fee structure.
- Penalties in the event of a lapse / shortfall in service or a security breach.