Evaluate potential providers based on their responses to these key concerns.
More and more, small businesses are moving to cloud computing, signing up with private providers that make sophisticated applications more affordable as well as setting up their own accounts with public social media sites like Facebook. The trend is confirmed by Microsoft in its global SMB Cloud Adoption Study 2011, which found that 49 percent of small businesses expect to sign up for at least one cloud service in the next three years.
Private and public clouds function in the same way: Applications are hosted on a server and accessed over the Internet. Whether you’re using a Software as a Service (SaaS) version of customer relationship management (CRM) software, creating offsite backups of your company data, or setting up a social media marketing page, you’re trusting a third-party company with information about your business and, most likely, your customers.
Although cloud computing can offer small businesses significant cost-saving benefits—namely, pay-as-you-go access to sophisticated software and powerful hardware—the service does come with certain security risks. When evaluating potential providers of cloud-based services, you should keep these top five security concerns in mind.
1. Secure data transfer. All of the traffic travelling between your network and whatever service you’re accessing in the cloud must traverse the Internet. Make sure your data is always travelling on a secure channel; only connect your browser to the provider via a URL that begins with ”https.” Also, your data should always be encrypted and authenticated using industry standard protocols, such as IPsec (Internet Protocol Security), that have been developed specifically for protecting Internet traffic.
2. Secure software interfaces. The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces, or APIs, that are used to interact with cloud services. ”Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability,” says the group in its Top Threats to Cloud Computing document. CSA recommends learning how any cloud provider you’re considering integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.
3. Secure stored data. Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. In Q&A: Demystifying Cloud Security, Forrester warns that few cloud providers assure protection for data being used within the application or for disposing of your data. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications. Find out, too, if the providers securely dispose of your data, for example, by deleting the encryption key.
4. User access control. Data stored on a cloud provider’s server can potentially be accessed by an employee of that company, and you have none of the usual personnel controls over those people. First, consider carefully the sensitivity of the data you’re allowing out into the cloud. Second, follow research firm Gartner’s suggestion to ask providers for specifics about the people who manage your data and the level of access they have to it.
5. Data separation. Every cloud-based service shares resources, namely space on the provider’s servers and other parts of the provider’s infrastructure. Hypervisor software is used to create virtual containers on the provider’s hardware for each of its customers. But CSA notes that ”attacks have surfaced in recent years that target the shared technology inside Cloud Computing environments.” So, investigate the compartmentalization techniques, such as data encryption, the provider uses to prevent access into your virtual container by other customers.
Although you should address these security issues with the cloud provider before you entrust your data to its servers and applications, they shouldn’t be a deal breaker. Cloud computing offers small businesses too many benefits to dismiss out of hand. After all, you already met many of these security challenges the first time you connected your network to the Internet.
What criteria have you used to evaluate how well a cloud computing provider secures data?