According to a study by Intuit, as of August 2014 37% of businesses had fully adapted to cloud computing. Moreover, they expect this number to reach nearly 80% by the year 2020. The benefits of cloud are wide ranging, from opening the scope of possibilities in developing new technology to improving communication and collaboration among workers. In fact, as cloud continues to shape the other technologies on which businesses run, it will soon be nearly impossible to avoid.
All that being said, there are still a number of concerns people have over the security of cloud computing. This is partially due to the high profile data breaches of recent years and partially due to the thought that keeping one’s data locally, in one’s own hands, is more secure. There continue to be, however, great leaps in cloud security, leaving less and less cause for worry. With the degree to which cloud computing is becoming the new norm, it makes sense for organizations to seriously consider it and answer their security questions in a systematized and grounded way, rather than listening to abstract fears based on hyped news stories. Here is a checklist of the top 10 elements of cloud security for you to use when looking at cloud software.
The two types of encryption that are important to cloud security are encryption at rest and encryption in transit. The former refers to encrypting any data that’s in some kind of storage, while the latter applies to data that is moving between computer networks or is temporarily in a computer’s memory to be read or updated. According to some,neither type of encryption happens as often as it should.
2. Physical and logical access controls
Logical access, as opposed to physical access, is remote interaction with hardware. Both that remote and physical interaction are points that need to be secured. The way an organization governs access will change from company to company, but it’s important to at least ensure that there is a process in place and that it’s regularly audited.
3. Vetting employees
With the majority of data breaches actually caused by human error, one of the most important things a cloud software provider can do is carefully control who has access to that data and technology. This means careful training to avoid negligence and background checks to avoid malicious behavior.
The ISO offers accreditation for information security management, known as ISO/IEC 27001. These standards are designed to help organizations ensure that all sensitive proprietary or third party information is secure, and provide a framework for management of all data.
5. Vulnerability and penetration testing
The best way to know if your system is secure is to test it. Organizations with good information security practices in place will conduct checks designed to find holes in security in order to fix them. If they know where their weaknesses lie, they can get to them before a hacker does. Ensure your provider conducts regular, independent system tests.
6. Physical location of the data
One thing that’s easy to forget when discussing cloud is that the data ultimately has to be stored in a physical location – often a large server farm. Information on where your data will be stored may not necessarily be available, but if it is, ask how local law will affect security.
7. Destruction of data and hardware
When old equipment needs to be disposed of, or if data or hardware need to be destroyed for any other reason (obviously not in a way that would cause data loss for your organization), it needs to be done in a secure way. Ensure that when your provider gets rid of hardware that there is no way for anyone else to obtain it and recover data from it.
8. Product security features
The product itself should be secure for you, the consumer, to use. This means various things, depending on the nature of the product, such as IP restrictions or auto logout. Make sure you know what features the product you’re considering should have before making a purchase.
9. Incident response policy
Even with all the aforementioned precautions, it’s possible for data to be compromised or lost. The same goes for data and software that aren’t hosted in the cloud. In that unfortunate event, what is the vendor’s incident response policy? Do they have procedures in place to recover the data if possible? What steps do they go through in an emergency?
10. Notification policy
Aside from an incident response policy, how does an organization deal with you as a customer if something happens to your data? How quickly are you notified, and how transparent is the process? Make sure the organization has a practice of keeping clients aware of all the steps they take so that you aren’t caught off guard.
The cloud is getting more secure all the time, and with all its other benefits, there is less of a reason to host software on premises. However, just because security is not an issue doesn’t mean that companies can look the other way and blindly trust vendors. It’s important to be aware of how a cloud software provider is handling your data and ensuring that security is a top priority. This checklist is only a starting point, but using it will open conversations which can help you feel confident in the security of your data in the cloud.