Getting businesses, big and small, into the cloud is the stated goal of several major vendors and their partners, but security concerns are still a barrier to sealing the deal. According to Symantec Corp.’s (NYSE: SYMC) 2011 State of Security survey released in August, security remains a major concern for companies of all sizes considering moving their data and business processes into the cloud.
Related story: Channel needs to provide cloud security reassurance
In February, Dell acquired cloud security specialist SecureWorks in an attempt to enhance its managed security and threat intelligence services. The company is now working on getting its SMB customers using cloud services. In an interview with CDN, Allen Vance, director of product management for SecureWorks, based in Atlanta, offered 10 tips that businesses should consider for reducing security risks in the cloud, and what they should expect from their providers.
1. Keep your data secure
Essentially, this means encrypting your data is crucial, Vance said. “There are certainly a variety of technologies out there. It’s not a real rocket science problem.” The real issue is who has the keys to the encryption, though. Vance suggests businesses limit access to themselves or to a third party, such as Trend Micro, rather than the cloud provider itself. Your cloud provider may “have” the data, but who can actually read it is more important, he said.
2. Ensure that all users are properly authenticated
Think of all the people who might have access to your data, within your company and the cloud provider, and make sure they’re the right people. “Passwords are a very weak form of authentication management,” he said. Rather, companies should have a two-factor approach to their security. Physical electronic fobs are one way of ensuring only the people you want have access to your data.
3. Set proper levels of authorization
If everyone who had access to your cloud had the same level of access to the data, that would just be crazy, Vance said. This is related to what, in security, is called the principle of least privilege. “Give people the access they need to do their jobs and no more,” he said. Setting up and managing these levels should be offered by the cloud provider. “It’s not simple, but I would say a good cloud provider using modern technologies and the right technologies … will be able to support this.”
4. Monitor and track all user activity
“(Providers) actually need to understand what is happening, not just what you thought was happening,” Vance said. “You need to monitor and record all these transactions. Review them regularly to make sure the controls you have in place are actually working.” It’s not strictly necessary that the customer see it all the time, but the cloud provider needs to. In case something does go wrong or a breach occurs, monitoring this kind of activity is critical for understanding where the breach occurred and what should be done about it.
5. Ensure compliance to laws, regulations and guidelines as required by your particular business, industry and geography
“It’s straightforward in its intent,” Vance said, but complex in its execution. “For one thing, law has not actually caught up to cloud yet.” Industry compliance and privacy laws are constantly changing and customers and cloud providers need to be aware of that, Vance said.
He recommends hiring third party consultants to ensure your cloud is compliant, rather that relying solely on the cloud provider. If your business gets into legal trouble, the blame is on your business, not the cloud vendor. “You can shift, as they say, accountability to the cloud provider but you cannot shift your legal responsibility,” he said. “I would definitely go with an independent third party.”
6. Verify that when you delete data in the cloud, it’s actually deleted
Data encryption is the best way to combat this problem in the first place, Vance said. Then, even if your data isn’t necessarily completely gone, at least it can’t be read. “Have the cloud provider give you detailed technical and operational information about how data is deleted,” he suggested. “This also needs to specify what happens to backed up data.” This also can help your organization with legal liability issues, since having specifications in the contract of what happens to deleted data will show due diligence if it’s ever questioned, he said.
7. Confirm that you own the data that resides in the cloud
“You need to be clear and there needs to be clear contractual language where the responsibilities lie,” he said. This is especially important when hosting third party data, such as your organization’s customer information. Data privacy laws also differ geographically, he pointed out. “If you have multiple clouds, you can’t just automatically move that data around.” If some of your data is outside Canadian borders, for example, you need to confirm who is responsible for it.
8. Establish service level agreements (SLAs) that specify data and system availability
“Really, the strength of any agreement with a cloud provider comes down to what’s in the SLA,” Vance said. The agreement should be as broad as possible in what the provider will cover, he said. But it also needs to be very specific on definitions and penalties. For example, if a provider offers an organization compensation for downtime, the contract should specify whether this includes expected downtime, such as scheduled maintenance.
Even more important is whether that compensation comes close to the real damage an organization would suffer in the worst case scenario, he said. “That’s where a lot of negotiation goes on.” It’s important to remember that there’s flexibility in these agreements, he said. The larger the deal, the more willing a cloud provider usually is to negotiate.
9. Make sure your cloud vendor has a viable disaster recovery plan in place
“Have a copy of the provider’s disaster recovery and business continuity plan,” he said. And don’t just make sure there’s a plan-make sure it’s a good plan. Organizations should ensure that their cloud providers have replicated data centres, for example, and can guarantee recovery within a reasonable timeframe. “No plan has any value at all unless it’s tested,” he added. Find out how a cloud provider tests its recovery plan and how often.
10. Have an exit strategy
An organization’s cloud agreement should not be like the Hotel California, Vance said. Once you “check in,” with a provider, you should be able to get out. “The day to start thinking about that is the day you start talking to your current potential cloud provider,” he said. It’s almost like an apartment lease-organizations should consider what to do if they are unhappy and want to move to another cloud provider. “You need to understand all that stuff up front and put it in the contract.”