Interestingly, when we ask new cloud customers what their biggest concern was before switching to the cloud, only 15% say security.
This suggests that the majority of businesses adopting cloud computing are satisfied about how secure their information will be (of course, if they weren’t satisfied they wouldn’t adopt it).
That’s not to say that security shouldn’t be a concern for those considering the cloud however. With the reputational, operational and legal risks, data and information protection must be high on the agenda.
Assessing cloud security
When assessing the security of cloud computing, it’s important to compare apples with apples. Not all cloud implementations are the same – each uses different systems and designs, all of which affect overall security.
Therefore, blanket declarations that say the cloud is either secure or insecure don’t make sense.
Instead, when judging the security of a particular cloud provider’s implementation, there are a number of questions to ask:
Where will my data be?
Find out exactly how the provider in question implements their cloud. Will your data be held only in Australia, for example? In what cities and in what facilities?
Follow your data through all parts of its lifecycle. How will your data be backed up, for example, and where will those backups reside?
How secure are your systems?
Your provider should be able to clearly articulate how your systems and information will be protected in the cloud.
Ask what audits and reviews of security are in place, and what active network and software protections exist.
Understand when and where your information will be housed on shared systems, and what ensures security when that occurs.
How secure are your facilities?
The data centres your cloud will use must have tight physical controls.
This means 24/7 surveillance, controlled access to all areas and individually locked racks at the very least. Request a tour to satisfy yourself that you’re not going to be exposed to a physical breach.
Ask yourself: how will it compare?
Once you have a feel for the security that’s on offer in the cloud you’re considering, compare it to the security you currently have.
Remember that cloud access is likely to have a positive effect on how your employees work with your data. Instead of carrying information on easily lost or stolen laptops and USBs, your staff can use the cloud to access the information they need over the air.
There’s also every chance that your provider’s systems will be more secure than anything you could achieve internally (at least without a massive capital outlay). Can you employ a full-time security chief, for example? Your cloud provider probably can.
If you decide that the security that will be delivered by the cloud is going to be lower than what you have in-house, then it’s time to weigh the size of the increased risk against the benefits of the cloud.
But it’s important to realise that, in relying on the cloud security, you’re not alone.
Our cloud customers, for example, include credit unions, financial advisors and others with tight security requirements.
Before adopting the cloud, you need to be sure that it will meet your security and compliance requirements. Many businesses have assessed the security risks associated with the cloud to be equal to or less than what they can achieve internally. As a first step, examine your current policies and assess your security requirements before you start your search.
Dave Stevens is MD, Brennan IT
(This blog post was first published on the SmartCompany website on November 24 2011).