How Secure is the Cloud?

Businesses hoping to minimize data risk should be concerned not only with the layers of security protection that hosted companies employ, but also the manner in which they can guarantee data and application restore in the event of an issue. So how should companies considering hosted cloud-based infrastructure and services evaluate these critical needs?

Securing hosted cloud-based services
There is no doubt that cloud-based services have been at the receiving end of intensive hacking campaigns that have one objective: the theft of valuable information. Occasionally, those criminal efforts have been successful. One only needs to think of the recent Sony attack to remember how even large organizations and their valuable data can be at risk.

However, companies who have not deployed private or public cloud infrastructure, and who are not using hosted external cloud-based services, are also coming under attack. Consequently, and contrary to concerns about security and risk, many IT managers and company executives are turning to hosted cloud solutions in order to actually enhance security. Symantec’s State of the Cloud Survey 2011 reports that 87 percent of companies adopting cloud infrastructure are doing so to improve security. This is because in-house staff do not have the knowledge or skills to adeptly journey to the cloud.

Companies can employ a variety of strategies to enjoy the benefits of cloud-based infrastructure, while also maximizing data security. By deploying a private cloud environment, companies will rely exclusively on in-house security solutions. This would include their staff’s knowledge of security tools and the reliability of their existing IT infrastructure to defend against data theft. Deploying a public cloud environment usually means employing a hosted cloud-based service and infrastructure provider. In this case, a company would rely on the security capabilities, knowledge and insight that the provider brings to the table.

Finally, the deployment of hybrid cloud environments is a combination of the two: Applications, data and IT infrastructure reside both in-house and also within a public cloud environment. Each option carries a security risk. If an organization is confident in its knowledge of best-of-breed security, data retention and disaster recovery practices, then a private cloud environment may be appropriate. However, if they are uncertain about security techniques, then they may need to consider public or hybrid solutions.

Complying with stringent security requirements
A major consideration when choosing a hosted cloud service company is: Do they follow best-practice standards as required by leading software providers? Some do. Some don’t.

When choosing a hosted cloud service provider, security practices should be given due consideration. Many hosted cloud companies offer much higher levels of security due to stringent best-of-breed practices and infrastructure than in most company IT departments. However, when considering a hosted service provider, make certain that they have multiple redundancies. Leading hosted service companies should have at least two primary data centers. Some will also have an off-site disaster recovery center.

Where’s the data? Meeting compliance requirements
If infrastructure and best practice compliance processes are critical to hosted cloud security, companies considering hosted cloud services also need to ask a very simple question: Where is my data held? This apparently simple question is critical in that the answer may determine the data compliance requirements you might face.

For instance, if a company’s data is being stored in the U.S., then it would have to comply with the U.S. Patriot Act, even if it was a UK company. Needless to say, it is critical that businesses ask where their data is being housed when using a hosted cloud service. If a hosted cloud service company can’t tell a client where their data will be held, or develop strategies to meet localized compliance and data retention requirements, then they should be avoided.

There is no doubt that cloud computing and its variants (private, public, and hybrid) will grow exponentially for the foreseeable future. Companies are adopting cloud capabilities to enjoy the significant computing benefits at cost-effective rates. But before organizations dive into the cloud, they should make certain that their hosted cloud service provider has adopted best-of-breed security practices to safeguard critical data.

Ten key questions companies should ask before committing to a cloud service provider

1. Where is my data located? Is there country specific legislation that will affect it?
2. Is my data backed up? Can I receive restores or is the company DR purpose only? Make sure to push them for their restore logs (they should be randomly ensuring backed up data is restorable).
3. Does the provider offer dual data center solutions or beyond? How does my service behave in the event that a data center is lost? Is this transparent or is there downtime to stand the service up in the secondary location?
4. Is my data encrypted? How is it encrypted? Does the cloud service provider follow any ISO or similar accreditations? Can the provider show me its certificate and its last audit dates?
5. Check the company financial data and history – is it a new start up? Has it been around a long time? Is it healthy?
6. Ask for references from other companies already with the provider – insist on companies being in the same sector and head count as you.
7. Ask for the last 12 months of SLA (Service Level Agreement) information – ensure it meets the uptime you are looking for and that the provider advertises.
8. Ask for any incident reports regarding breach of service, or excessive downtime.
9. Ask for a full brief of all service professionals who work for the provider – compare them against yours and ensure that you are outsourcing to a more competent and professional IT team.
10. Do not be afraid to ask for site surveys – go and see where you data will be held.