As cloud computing becomes more popular, more important data is being held on third-party servers — and that data may be at risk because of vendors’ lax security.
Although companies have concerns about the security of cloud computing, just 29% say they perform a “heavy or comprehensive” review of cloud providers’ security practices, according to a recent study from IT industry association CompTIA.
That’s a big mistake, experts warn, because third-party vendors’ security vulnerabilities can cause just as many problems for companies as the vulnerabilities on their own networks.
Here are some steps companies should take to make sure their data is being adequately protected by cloud computing vendors:
- Look at security practices — Companies should have their own sets of security policies and procedures, and they should expect third parties that hold their data to do the same. A security review should include items such as how the firm conducts background checks for its employees, what user policies are in place, what technical controls are used, and how the vendor responds to security incidents.
- Establish consequences — In addition to up-time guarantees, the service level agreement (SLA) signed with the cloud provider should establish what happens if data is compromised while on the vendor’s network. That can include compensation for lost data.
- Audit regularly — The SLA should also require the vendor to undergo regular security audits and vulnerability tests, as well as allow the company to perform site visits or other activity to make sure that security controls are in place.
- Review your own security — Many companies try to limit cloud risks by keeping certain data in-house. To do that, the company should have policies about what data can be sent to a cloud computing vendor and way to monitor what data’s being sent. Also, security controls need to be in place to make sure data is secure and encrypted when it’s being sent to and from the vendor.