With the ever increasing demand for cloud computing, one question that takes precedence over all is “How safe is our data on the cloud”.
A majority of technology and business executives plan to boost their spending in the private cloud in the coming years. Similarly they are targeting public cloud space as well with nearly 57% of the leadership claiming that they are ramping up their investments in public clouds.
Understandably, security is weighing heavy on the minds of CIOs as they shift to the cloud given the fact that organisations are shifting their core processes over to the cloud. What needs to be seen is how well security strategies are planned out and implemented.
In this blog, we will try to discuss the most important things that companies need to do before they make the leap to the cloud. While not exhaustive, this list can certainly be a starting point for a full cloud security policy.
It’s imperative that companies understand their own infrastructure and their own environment so they can mandate to the service providers how to control their data. Before making the transitioning to the cloud, the most important question for companies should be them to ask: do they understand their current risks and what their assets are.
Understanding data classification and data structure is important. A lot of companies don’t do this well. This is the most important and hence the first thing companies should be thinking about.
The tricky part is that we need the same level of information from our cloud providers as we do our own internal systems. Keeping a track of where your data is going to be residing becomes incredibility pertinent. The right cloud provider can serve as a powerful security partner in this regard.
Some of the big cloud providers maintain a team of investigators, who respond much more quickly and capture the information much more quickly, so there are some strong advantages there.
Following is a checklist for a risk-based assessment of your cloud environment:
Privacy: Privacy can be assessed using the generally accepted privacy principles audit framework. Organizations should also use the privacy guidance that is appropriate to their industry.
Availability: Availability can be measured by investigating resilience of the architectural components and reviews of data recovery and information retrieval aspects.
Scalability: Scalability is assessed by due diligence on aspects such as load testing, stress testing and forecast growth.
Security: The assessment of information security should include, at a minimum, data encryption, data storage location, segregation, risk management, user access, systems management, and incident response.
Metering: Metering can be assessed by revenue-recognition testing as well as due diligence on the integrity and security of metering systems.
Data leakage: The likelihood of unauthorized disclosure of data can be examined by a risk assessment that specifically evaluates data-leakage vulnerabilities.