Monday, May 25, 2009

Understand the risks of cloud computing

Cloud service users need to be vigilant in understanding the risks of data breaches in this new environment.

At the heart of cloud infrastructure is this idea of multi-tenancy and decoupling between specific hardware resources and applications. In the jungle of multi-tenant data, you need to trust the cloud provider that your information will not be exposed.

For their part, companies need to be vigilant, for instance about how passwords are assigned, protected and changed. Cloud service providers typically work with a number of third parties, and customers are advised to gain information about those companies which could potentially access their data.

An important measure of security often overlooked by companies is how much downtime a cloud service provider experiences. He recommends that companies ask to see service providers' reliability reports to determine whether these meet the requirements of the business. Exception monitoring systems is another important area which companies should ask their service providers about.

An important consideration for cloud service customers, especially those responsible for highly sensitive data, is to find out about the hosting company used by the provider and if possible seek an independent audit of their security status.

Best practice for companies in the cloud
  • Inquire about exception monitoring systems

  • Be vigilant around updates and making sure that staff don't suddenly gain access privileges they're not supposed to.

  • Ask where the data is kept and inquire as to the details of data protection laws in the relevant jurisdictions.

  • Seek an independent security audit of the host.

  • Find out which third parties the company deals with and whether they are able to access your data.

  • Be careful to develop good policies around passwords; how they are created, protected and changed.

  • Look into availability guarantees and penalties.

  • Find out whether the cloud provider will accommodate your own security policies.