Cloud computing has completely revolutionized the way businesses handle data. No longer limited by their own hardware, companies can now take advantage of technology tools offered by providers around the world. This trend will only continue as more organizations transition storage and compute power to the cloud. According to analysts at Gartner, cloud services are predicted to grow to $244 billion by 2017.
With all the benefits the cloud has to offer, it is imperative that businesses develop the essential awareness and master the fundamental security capabilities required to safely and securely deploy cloud computing solutions. This is especially critical for functions—and even entire industries—with a high risk of data breach, such as payroll processing, human resources management, health care services and anything related to financial data, from consumer banking to payment card transactions to retirement fund distributions.
Different needs, different risks
The use of cloud computing was once relatively limited, revolving primarily around the storage of large or important data files and the need to have backup copies available in the event of a disaster. As cloud platforms continued to evolve, that all changed. Cloud computing now means not only the traditional storage-as-a-service, but also software-as-a-service and even infrastructure-as-a-service. Companies have transitioned entire software applications into the cloud, reducing their on-site footprint and making information and systems available to workers no matter their location.
Because the cloud means many different things in today’s connected environment, a careful evaluation of operational needs and practices will help determine where risks exist. A business must first identify the primary function it’s trying to move to the cloud, or where they may already be leveraging cloud-based resources. This will direct the team to the areas most vulnerable to exposure.
Storage-as-a-service and data-backup platforms are where many security and privacy risks often emerge. Whether it’s storing older information or just archiving data because the business doesn’t want to manage the servers itself, a set of risk parameters naturally exist anywhere potentially sensitive data is at rest. One positive about cloud data storage is that most providers offer highly effective safeguards, such as encryption. These features are often well-integrated, but businesses may not be leveraging the technologies to good advantage. For example, encryption tools are rarely applied by default. Cloud customers must usually opt in, meaning they need to not only deliberately utilize encryption, but also manage the encryption keys themselves. So while robust options to protect stored data are nearly always there, either available for a negligible additional fee or just for the effort of actually doing it, many entities never take the necessary steps to protect their cloud-based resources.
Slightly thornier issues exist on the managed-software side of cloud computing. Rather than simply storing data, more cloud platforms are allowing businesses to move away from the software and systems that have traditionally lived within their four walls to instead take advantage of powerful platforms in the cloud. Salesforce, WebEx and Microsoft Azure are just a few examples of cloud-based services. A multitude of data types are often managed by these platforms, ranging from attached spreadsheets and PDFs to entire databases that remain dynamic in the cloud.
One of the primary concerns with these platforms becomes delineation between the security measures and breach response protocols the vendor is responsible for and which remain under the purview of the customer. Few cloud software providers allow for negotiation of the contract terms and service-level agreements, leaving businesses to sift through detailed contract language to determine where obligations exist on both sides of the partnership and where security vulnerabilities may occur during the hand-off of data and compute power between users and the cloud provider.
Careful research makes all the difference
To ensure the appropriate safeguards are deployed around all instances of sensitive data, whether at rest or in transit, businesses must dedicate sufficient time and resources to conducting their due diligence. This exercise becomes even more important where hyper-specialized solutions may be in use, such as those that exist within the health care sector and other industries with very specific demands, needs and compliance mandates.
Everything from how the vendor is expected to respond to discovery requests to how notification occurs if the provider suspects a breach has occurred should be clearly stated in the service contract. A business considering a move to the cloud will also want to determine how their provider will respond to requests from law enforcement, regulators and third parties (Is an applicable subpoena, warrant or similar measure required?).
Cloud customers should also inquire about where the provider’s servers are located, as some regions – such as Europe – may treat data access differently than others, potentially creating a regulatory or liability issue for a multinational. Of course, these are in addition to the due diligence any cloud user should conduct around the security measures and privacy protocols the vendor deploys.
With a clear understanding of how cloud resources are to be leveraged within your own enterprise and what role the provider will play in bolstering security protections, a business will be well equipped to address potential weaknesses across its cloud footprint, as well as to mitigate its risk of running afoul of differing data protection obligations and its risk of a data breach.