Understanding the risks of cloud computing: Questions to ask your service provider
by Adam Bosnian - VP of Products, Strategy and Sales at Cyber Ark - Monday, 26 October 2009.
Cloud computing has changed the audit and risk profile of data systems in most organizations. Whilst the economics of going down the cloud route for data storage are highly attractive, there are also a number of data security issues to consider.

Where, for example, is my data really being stored? What happens when I delete it - is it really deleted, or is there a backup somewhere I'm not aware of? These are questions that need to be asked by the audit team before negotiations with the cloud service provider begin.

We are at the start of a huge learning curve with cloud security and many organizations are contracting with cloud service providers without undertaking the due diligence that their board of directors - and where appropriate, shareholders - are looking for.

Generally speaking there are four main cloud services that companies of all sizes are looking for - applications, data storage, infrastructure and platform - and they all are linked. Most cloud services are offered on a shared server basis, that is, the IT resources on a given server are shared between multiple organizations. Some companies are going down the route of signing up for non-shared cloud services that are offered on a secure basis by the likes of IBM and Unisys.

Even though this effectively means a company's data storage facilities are installed remotely, the economies of scale of major data centers make such services cost-effective - though not as highly cost-effective and environmentally friendly as shared cloud services.

Introducing risk analysis to the cloud selection process

Virtually all company IT systems are engineered to support physical drives, so integrating a cloud environment into the IT resource usually involves a lot of work on the software and integration front. In the real world, you can see your PC or drive has been stolen, but in the virtual world, there are no such comforts. As a result, meeting compliance and regulation issues is very difficult. Even secure cloud services have an increased risk of data going walkabout - for any reason - than having your organization's data neatly tucked up on your own servers.

To counter these issues, it is necessary to employ a carefully defined risk analysis of IT systems and procedures before a decision on which cloud technology and service is the best option for your organization, before later steps such as the creation of service level agreements, remediation procedures and penalty clauses are started. The four main stages in this analysis are as follows:

1. ID management and Access Control - who is authorized to do what and when.
2. Regulatory requirements Ė Basel II, SOX, PCI, SAS70
3. Data handling processes - where is the company's data located? And how is it managed?
4. Staff management - when someone leaves, comes on board or changes roles, what happens?

Whilst cloud computing changes the data handling ballgame significantly, provided the IT security technology that is being employed - or planned - by the organization can handle cloud, as well as conventional, IT data storage systems, the gap between network and cloud-based security analysis is not as great as some experts report it to be.

What is required is an assessment of the expectations that management and the business have for the cloud outsourcing contract Ė IE - what precise functions are required to be completed by the outsourcing company? And what are the performance and security criteria that the provider will be held to.

Questions to ask your cloud service provider


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th