The recent explosion of cloud services has been a revolution in outsourcing. But does this come at the cost of security?
We have worked with our customers to assess the cloud services that they are looking to buy or have bought. Now we would like to share some of the points that we advise them on. We have assessed payroll and HR services, Customer Relationship Management systems, e-commerce platforms and infrastructure hosting.
Essentially a move to the cloud is using a 3rd party’s system. Risk is introduced regardless of the type of cloud service that you use. So is a move to the cloud worth the risk, considering you’re using a service where you no longer control everything? The answer is that it really depends, both on the particular cloud service provider and on the criticality of your information. If you use, or are thinking about using cloud based services, follow our tips below to make sure that you are minimising your risk.
Data sovereignty
Make sure you know where your data will be physically stored. Also make sure that you can access it in times of need. Data sovereignty is important when it comes to being compliant. You should be aware of the data regulations of where your users reside.
An article in TechCrunch says it’s important to realize how mission-critical compliance is. They argue that “maintaining compliance may be critical to your business, or it may be an afterthought, but it’s necessary to understand how your company prioritises these regulations and how much of your resources you should dedicate.”
Get Assurance
When it comes to cloud-based services, you need to be aware that you are effectively outsourcing security. You are ultimately responsible for the data, but you are trusting your cloud based supplier with your customer’s information and your employees are inherently trusting you with their information. So by putting data blindly in the cloud, you are effectively placing all of the responsibility on the supplier who provides the cloud service. So… fingers crossed that they’ve security tested the service properly and placed your data in a data centre that’s secure?
If you don’t have complete assurance from your provider, then you may want to think about creating your own. For example, it might be worth spending some extra money to get the service security tested. You might find out that it’s not actually as secure as you’d like. Although this may be costly (especially if you don’t end up ultimately using the cloud service), depending on the criticality of your data, it may be worth it in the long run.
Specify the Respective Responsibilities
As mentioned above, buying a cloud service is a responsibility. Make sure you know who’s responsible for what when a problem arises. If the responsibilities haven’t been clearly defined or articulated from the outset, you may want to prioritise this. Then when something does go wrong, you aren’t both pointing a finger at each other.
Scrap Shared Servers
Part of the reason why cloud servers are a cheaper option to having an in-house service is because the provider could place your data on in a shared environment. This obviously has implications for security, especially with regards to data disposal. One day, you may want to wipe your data securely…but you can’t if it’s shared. For this reason, you might want to think about finding a way to store your data independently, on a server of its own. Yes, a costlier option, but far more secure in the long run. Obviously, you would assess the criticality of the data that you’ll be placing in the cloud service.