Protecting data when it moves to the cloud

Cloud computing raises a number of security concerns, especially when providers may pass information through multiple data centers around the globe. In this guest post, Anand Srinivasan describes the steps companies can take to make sure their data is protected. 

_____________________________________________________________

Cloud computing services like NetSuite are often spread out throughout the globe. Even if a cloud storage provider does indeed have its data center located in the same country as its headquarters, the processing of data could be done through outsourced tools that may be located in a different part of the world. This means the data a business owns is very likely to traverse through the borders of several countries routinely.

So how does a business overcome the security challenges arising from a migration to a global cloud-based system? As is often said, it is all in the fine print. It is very important that IT professionals spend considerable amount of time reading the contract that providers offer. Here are some things to look at:

Who owns the data?

Let us assume that you are a business located in North America and are exploring a partnership with a cloud storage provider whose data center is in the UK. It needs to noted that the data protection laws may vary among different countries. Sometimes, the kind of data protection law that applies to your business too changes with the way you have set your cloud system up.

For example, according to the data protection reform proposed for the European Union (expected to be taken up in 2014), a business that has its data stored in a private cloud can claim ownership for all the data. However, this may not necessarily be the case if the data is stored in a public or hybrid cloud.

In such instances, the rights of a North American business with data stored in the European Union is determined by the contractual clauses provided in the agreement. The provider must agree to adhere to the following key points in the contract-

Data encryption

While encryption of data is something most providers do offer to their customers, it needs to be ensured that this security control is implemented not just during the transfer of data from one server to another but also when it resides within a data center.

It is important that the contract also specifies the encryption standards being deployed (Example: AES-256).

Decryption handling

These are the secret keys that will help cloud providers translate the encrypted data back to the original content. It is important to understand how these keys are managed since having one person or team handling all the keys makes the entire encryption process redundant. If necessary, ask the vendor to let your business generate its own set of keys.

Data backup

Loss of data is one of the most critical dangers involved in using cloud services. The signed contract with the vendor should specify the best practices that the provider will take to protect data against loss not only from technical failures, but also due to fire, vandalism and natural disasters.

This implies synchronization of data across various data enters, sufficiently encrypting information at rest and handling the keys for decryption from these several storage centers.

Handling data after the partnership ends

The data protection regulations in most countries mandate easy migration of data from one provider to another as well as deletion of data if requested by the owner. Ensure that the contract specifically states these circumstances and how the data shall be handled during these various scenarios.

About the author: Anand Srinivasan is an independent consultant who writes on cloud and enterprise business management. He may be reached at anand.srinivasan@gorumors.com

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy