The Cloud

Most, if not all organisations now have some reliance on cloud based services, whether for storage, hosted software or delivery of services to customers.

Common examples of cloud computing include:

  • Software-as-a-service (SaaS) is cloud computing where the software you would normally install on office computers is instead delivered via the internet. It is also commonly known as ‘hosted software’ or ‘hosted applications’.
  • Infrastructure-as-a-service (IaaS) cloud computing is where you rent space in a datacentre and use their servers rather than buying new hardware to run your business. A common example of IaaS is website hosting.
  • Any type of online data storage or backup uses the cloud to do so.

As well as delivering management and sometimes cost benefits, the cloud also facilitates flexible working practices such as home and other off-site working.

The risks

Whatever tasks or applications you use the cloud for, it is vital to protect your own and any customer data that resides there. Analyst firm Gartner has identified seven perceived risks of cloud computing:

  • Privileged user access

Keeping sensitive information with a third party has inherent risks because you are bypassing your company’s own IT infrastructure and support team.

  • Regulatory compliance

Customers are responsible for their own security and data integrity.

  • Data location

You do not know where the information is physically being stored; it could be anywhere in the world.

  • Data segregation

Your data is stored alongside other people’s data and an encryption failure could make your data completely unusable.

  • Recovery

What happens in a disaster? Is the data being replicated?

  • Investigative support

Inappropriate or illegal activity might be hard or impossible to investigate.

  • Long-term viability

What happens if your provider is bought out or bankrupted?

You can either choose to host applications and infrastructure selectively in the cloud, or opt for a provider who provides a total cloud offering.

Choosing a cloud provider

Research the cloud provider market thoroughly and use only experienced, well-resourced companies who have an excellent reputation and preferably, come recommended. They must be able to help you as your needs change and your organisation grows, understand your business model and demands and be able to communicate with you in a way you understand. The provider should be ISO 27001 accredited, which will ensure that your data is hosted in an environment that meets international baseline information security management standards of confidentiality, integrity and availability.

Protecting your presence in the cloud

Apart from making a wise informed choice of cloud provider, you should observe the following precautions to maintain data safety, integrity and availability:

  • Limit access to the cloud servers to those who need it. Maintain a clear audit trail of who has access to what data and when, and a record of who has access to encryption keys (if used). Change encryption keys if employees leave the business.
  • Ensure that any customer data stored in the cloud is either encrypted or hashed in such a way to make it unusable to unauthorised users. Many large and small organisations have faced legal action for failing to adequately protect data when their cloud based services were hacked.
  • Keep development and live environments separate to make direct access from development servers to live data impossible.

Cloud hosting contracts

You should have a cloud hosting contract that clearly defines:

  • What exactly your provider will do for you (and what they expect you to do for yourself).
  • A schedule for any project work that will be undertaken (such as how long will it take to install a new server).
  • A service level agreement – how quickly and to what level they will respond to and fix problems.
  • A clear fee structure.
  • Penalties in the event of a lapse / shortfall in service or a security breach.

 

 

Jargon Buster

A Glossary of terms used in this article:

Encrypted

The process of converting data into cipher text (a type of code) to prevent it from being understood by an unauthorised party.

Cloud computing

The delivery of storage and computing capacity to end users via the internet. Commonly used for backing up data and hosting applications.

Cloud

See cloud computing.