Despite some significant cloud security concerns, many businesses are going forward with their plans to adopt cloud computing services — even when it requires uploading sensitive data to the cloud.
About half of organizations put sensitive data in the hands of a cloud computing service provider, according to a recent Ponemon Institute survey of 4,000 IT pros.
And companies with strong security performance and demands are actually more likely to put sensitive data in the Cloud. Despite many organizations’ fears about cloud security, those companies believe cloud computing can be secure if it’s managed properly.
How can cloud security be managed? Here’s some of the top advice experts have for organizations:
Encrypt cloud data
Just like in many other areas, one of the most important keys for cloud security is making sure sensitive data is encrypted while it’s in the Cloud and while it’s in motion. However, many businesses rely on cloud computing providers for encryption — and many fail to verify that data is encrypted.
In addition, businesses have several options in terms of when and how they encrypt data, and in many cases data isn’t encrypted at all possible stages. Among the organizations surveyed by Ponemon:
- 38% encrypt data as it’s transferred
- 35% encrypt data before it’s transferred so it remains encrypted in the cloud
- 27% encrypt within the cloud environment
- 16% encrypt selectively at the application layer, and
- 11% let the cloud computing provider encrypt data as a service.
Experts recommend organizations find out what providers are doing and make sure their encryption plan covers the remaining cloud security holes, choosing the best option based on the security needs of the data.
Another key question to ask cloud computing vendors: How are encryption keys managed? Even if the vendor is handling all encryption, that does no good if hackers will be able to get their hands on the keys.
Manage access to cloud services
For many applications, the company’s users will be the ones accessing a cloud computing service, and that human element can introduce new cloud security risks. One of the biggest threats: users’ lax password security practices.
To protect access credentials to cloud services from being stolen or misused, companies should apply the same password policies as they do for other accounts — for example, mandating that complex passwords are used, that codes are changed regularly, etc.
Organizations can also look for cloud computing providers that offer multi-factor authentication to access their accounts, if extra layers of security are needed.
Also, just as with in-house systems, it’s important to give people only access to what they need for their jobs, and to have rules against people sharing their log-in information with others — in addition to creating cloud security risks, that can create software licensing issues.
Verify vendors’ cloud security capabilities
Before signing on with a cloud service provider, the company should find out as much as possible about the vendor’s security practices. While exact requirements will vary depending on the data in question, some of the things organizations should pay attention to include:
- Location — Some providers have different data centers around the world that they can use. But for some applications, companies will want to make sure data isn’t sent overseas — and often, regulations will specify where data must be held. When inquiring about locations, make sure to include back-up sites.
- Employees — It’s important to know how the vendor conducts background checks for employees that will have access to customers’ data — insider theft and negligence are common causes of data breaches. Also, find out if the provider has a full-time security staff.
- Architecture — Does the vendor use a multi-tenant architecture, in which different organizations’ data are held on the same hardware devices? In some cases that’s OK, and will allow for lower costs, but for some applications, a company will want dedicated hardware.
- Tools and protocols — Companies should learn what tools the vendor uses to protect data — for example, what type of encryption is used. It can also be a good idea to take a look at any policies and procedures related to protecting customers’ data.
Cloud computing providers may also have a number of third-party business partners they’re working with — and some of those may also get access to organizations’ data.
Therefore, a cloud security plan should include checks for other organizations that cloud vendors work with. It’s important for companies to be aware of all the places their data will end up.
Audit and test cloud security
Aside from gathering information about security from cloud vendors, it’s important organizations get a chance to verify that with their own eyes — and to make sure that security standards are maintained throughout the time a service is in use.
To do that, organizations should look for cloud contracts that require regular audits and testing, and give customers the right to conduct their own audits and tests. If a vendor won’t allow cloud security audits or penetration testing, it may be a red flag that it’s best to avoid that provider.
When conducting cloud computing audits and testing, prioritize based on how much damage would occur if that data was breached — spend more time, effort and money testing cloud applications that use the most sensitive and critical data.
Have an exit strategy
Given the relative novelty of cloud computing, there are still some key cloud security questions that have yet to be addressed by many providers. One big area of concern revolves around who owns the data held in the Cloud and what happens to data when a cloud service is discontinued.
For cloud security, one key thing to look for in a provider is proof that all data will be properly destroyed once the company stops using a service. One recent study examined four major cloud providers and found that in some cases, data wasn’t completely wiped from the vendors’ servers after customers left or their data was moved to a different physical location.
Also, it’s important to verify in a cloud contract that the company will retain rights to all its data after the contract is terminated.
Get notified about data breaches
Another important factor in cloud security is staying aware of security incidents involving the cloud provider. However, different providers have different protocols for data breach notification.
Of course, the company will be notified if its data is improperly accessed, but some experts say organizations should bargain to receive notifications about all security incidents involving the provider, even if it doesn’t affect the company’s own data.