Cloud computing security dangers exaggerated
Posted in Articles on Monday, November 17, 2014
by Richard Vester - Director, EOH Cloud Services
As with most security decisions, when thinking about the risks involved with moving to cloud computing, organisations should consider what business benefits they are hoping to achieve, versus the risks they are willing to accept.
Security is always a balance of risk versus reward. No security solution is a silver bullet. Anyone who tells you they can offer an absolute level of security, regardless of how it may be delivered, is talking nonsense.
Cloud service risk assessment
The risks need to be considered in the context of the business. Firstly, examine the data and applications you wish to migrate to the cloud, and classify them in terms of how crucial they are to the business, how sensitive the information is, and what regulations and governance rules affect that data. Once this stage is complete, a cloud service can be selected that can support the level of security, compliance and availability that is required.
Before signing a cloud services contract with a cloud provider, read the fine print and make sure you understand the terms and conditions, and decide whether these are acceptable to you. If the contract satisfies your organisation's own standards, that is fine, but don't accept anything less than you would accept from your own technical department. Selecting a cloud provider that has independent certification of its security measures is also advisable.
Cloud services ultimately pose no greater risks
Ultimately there are no really good reasons why sensitive data shouldn't be stored in the cloud - the risks, like any other risks to the business, need to be managed. Most businesses will already have a risk management strategy in place, and it is simply a matter of tweaking these strategies to cover any cloud-related matters.
An organisation's obligations with regard to compliance and privacy don't suddenly change because the data has migrated to the cloud. The strategies used to manage compliance and privacy can be applied to cloud-based platforms too, with only small adjustments needed.
These adjustments are also fairly straightforward. Take an information-led, risk-based approach and decide what data will be stored in the cloud, and what the potential consequences be should a data breach occur, and that data be lost, stolen or destroyed. Once you know this, the necessary legal and regulatory obligations can be considered, particularly where personal information or sensitive financial information is concerned.
Most importantly, decide what type of cloud service to use. A combination of a specific cloud service deployed on a specific type of cloud computing platform can be scrutinised from a risk and control perspective, and a suitable combination of cloud service and type - one that has the lowest risk and most control - can be adopted.
Richard Vester has been in the ICT industry since 1997, intimately involved in product development, operations and product marketing. He has worked for some of the leading ICT companies in South Africa and joined EOH as the Divisional Director Cloud Services in 2012. He has a detailed knowledge and understanding of cloud computing and has developed one of the leading cloud businesses in Africa.