The security risks involved with cloud computing were critical considerations when my company was eager to take advantage of this innovative technology. We needed to perform a risk assessment of all cloud-computing hosting services we were considering hiring. The assessment included privacy and recovery, data integrity, along with the assessment of all legal issues that involve auditing, regulatory compliance and e- discovery.
Specific Security Matters
For us, it was critical to demand transparency when seeking the best cloud computing service and avoid all vendors that would not offer detailed data on the service’s security programs. There were key specific security matters that needed to be addressed before choosing the best cloud-computing vendor. They included:
Privileged User Access – Customers should recognize that anytime sensitive information is processed outside the business, it creates inherent higher levels of risk. Bypassing the traditional “logical, personnel and physical controls” usually managed by in-house information technology (IT) departments, the outsourced service must supply specific data on exactly how access will be controlled.
Regulatory Compliance – Even though businesses are outsourcing services to an outside provider, in the end, they will be ultimately responsible for the integrity and security of the company’s confidential data. It is crucial to select an outside cloud-computing service provider that is fully upfront about their security certifications, and external audits.
Risk-Control Processes – Any cloud computing service provider needs to be upfront about their specific risk control processes and containment measures. This would include identification, planning, analysis, and tracking of all realized and unrealized risks along with a constant review of known existing risks. The service provider should detail all monitoring triggered conditions along with the extensive contingency plans in the event of a breach in security.
Data Location – By the very fact that the cloud-computing world exists globally, companies need to understand exactly which country will be storing their critical and confidential data. It is crucial that the cloud computing provider is committed to the company and that they will process data and store the information in specified jurisdictions, and through their contractual commitment obey all regional and local privacy requirements, by following all laws on behalf of the company.
Data Segregation – In the world of cloud computing technology, data is usually stored in a shared environment with other clients and customers. High-level encryption is often used to ensure ultimate protection. However, it has its own inherent risks. The cloud-computing provider should detail all encryption schemes that have already been fully tested by outside specialists, to avoid any encryption accident that could render the company’s confidential data unusable.
Data integrity, privacy, regulatory compliance, security and recovery issues are always major considerations my company, and every business needs to evaluate and assess before selecting a cloud computing service provider.