The arrival of the cloud transformed the way organizations store, process and share information. Still, lingering questions regarding the safety and security of information kept on cloud vs. on-site platforms has caused a number of companies to think twice about trusting cloud service providers with their sensitive information.
In discussing cloud security concerns it’s important to consider the types of sensitive information that companies are keeping in the cloud to better appreciate why security is so vital to its protection. Typically the term “sensitive information” brings to mind Personally Identifiable Information (PII) such as social security numbers or Payment Credit Industry (PCI) data such as credit card numbers.
But depending on the organization, sensitive data can mean something entirely different. For example, sensitive information for product development companies exists as trade secrets, patents and intellectual property. For publicly traded companies it’s financial information. For data hosting companies, protecting customer data is paramount. For Healthcare it’s personal patient data. And for educational institutions such as colleges and K-12 schools, sensitive data takes the form of student and employee PII.
Regardless of the type of data involved, the concerns that organizations have for protecting that sensitive information are essentially the same (and if the recent Heartbleed scare isn’t proof enough, private online information is at risk). Here’s a look at some of those main concerns, along with ways organizations can work with cloud service providers to alleviate them.
Concerns about cloud security responsibilities
Most companies looking to enter into cloud service agreements assume that the providers will take responsibility for the safety of the data stored on their servers. However, that assumption is often false, as many cloud service providers put the responsibility for keeping business data secure solely on the client. That makes it incumbent upon companies to address security concerns with cloud vendors, making sure that risks are clarified and that the duties and responsibilities of the company and the cloud provider with regard to security are clearly spelled out and understood before entering into any agreement.
Concerns about the security of data in the cloud
Once companies engage a cloud service, they need to be able to collect security information in order to determine what is happening to their sensitive data and applications in the cloud. However, a number of cloud providers are unable to supply clients with detailed log files—such as audit logs of admin access—nor can they effectively separate the events pertaining to one client from those of another. To best address this concern, companies need to make sure that cloud service providers make detailed and meaningful logging information available to them at all times for all of the various analytics they need to track.