The arrival of the cloud transformed the way organizations store, process and share information. Still, lingering questions regarding the safety and security of information kept on cloud vs. on-site platforms has caused a number of companies to think twice about trusting cloud service providers with their sensitive information.
In discussing cloud security concerns it’s important to consider the types of sensitive information that companies are keeping in the cloud to better appreciate why security is so vital to its protection. Typically the term “sensitive information” brings to mind Personally Identifiable Information (PII) such as social security numbers or Payment Credit Industry (PCI) data such as credit card numbers.
But depending on the organization, sensitive data can mean something entirely different. For example, sensitive information for product development companies exists as trade secrets, patents and intellectual property. For publicly traded companies it’s financial information. For data hosting companies, protecting customer data is paramount. For Healthcare it’s personal patient data. And for educational institutions such as colleges and K-12 schools, sensitive data takes the form of student and employee PII.
Regardless of the type of data involved, the concerns that organizations have for protecting that sensitive information are essentially the same (and if the recent Heartbleed scare isn’t proof enough, private online information is at risk). Here’s a look at some of those main concerns, along with ways organizations can work with cloud service providers to alleviate them.
Concerns about cloud security responsibilities
Most companies looking to enter into cloud service agreements assume that the providers will take responsibility for the safety of the data stored on their servers. However, that assumption is often false, as many cloud service providers put the responsibility for keeping business data secure solely on the client. That makes it incumbent upon companies to address security concerns with cloud vendors, making sure that risks are clarified and that the duties and responsibilities of the company and the cloud provider with regard to security are clearly spelled out and understood before entering into any agreement.
Concerns about the security of data in the cloud
Once companies engage a cloud service, they need to be able to collect security information in order to determine what is happening to their sensitive data and applications in the cloud. However, a number of cloud providers are unable to supply clients with detailed log files—such as audit logs of admin access—nor can they effectively separate the events pertaining to one client from those of another. To best address this concern, companies need to make sure that cloud service providers make detailed and meaningful logging information available to them at all times for all of the various analytics they need to track.
Concerns about encryption
In order to improve data security in the cloud, many companies are now asking cloud providers to permit them to encrypt data on premise prior to moving it to the cloud. In response, companies should expect cloud providers to be proactive in developing and implementing security solutions to make their sensitive information more secure. In addition, companies should insist that providers be transparent with regard to how and by whom these solutions will be managed.
Concerns about anomaly detection
Even end-to-end data encryption in the cloud cannot protect sensitive information from an attack where account credentials are compromised. As a result, companies should make sure that cloud service providers have strong anomaly detection systems in play and that they are able and willing to share system information and audit records with them.
Concerns about third-party access to information
In light of the recent revelations about the NSA’s clandestine activities—particularly gathering and analyzing massive amounts of personal data with apparent autonomy— companies need to be more concerned than ever about how cloud service providers handle third-party requests for information. To address these concerns, providers need to be totally open with their clients about who is requesting data, how frequently those requests are occurring, and whether or not those requests are being complied with.
Going forward companies looking to engage cloud-services need to understand that they own their own data and are therefore ultimately responsible for making sure sensitive information remains secure. Many companies like Salesforce and other cloud-service providers offer security with their business, but these added services are there only to assist the company using the software.
The recent data breaches of organizations such as Facebook, Google, Twitter, Yahoo, LinkedIn, Evernote and others serve as stark reminders that cloud security is and will continue to be a concern for every company.