Computing asked the experts for their top tips to help businesses use the cloud securely. Here's what they said
Remember the changing regulatory landscape
Moving data and services into the cloud can create a compliance headache, with different rules applying in different jurisdictions. And some providers will be coy at best when it comes to clarifying exactly where data is held. The best advice is to ensure you've had proper legal advice before taking the plunge.
Jaspreet Singh, CEO of Druva
"There's a growing amount of data getting stored on mobile and personal devices because the services used to create that data are based in the cloud. There is more awareness around this due to the forthcoming GDPR compliance deadline. It's a cloud security problem because not all cloud services offer equivalent security measures. While this might be fine for general business data, it's a serious problem for confidential or regulated data.
"Things like Personal Identifiable Information and Personal Health I information can much more easily be compromised if they are not monitored. Typically companies use multiple clouds, not just one, which makes that job of monitoring much more difficult."
Sam Mager, commercial director at Krome Technologies
"Understand how your compliance regulations transpose into the cloud provider's architecture and ensure that they can prove beyond contestation that your data is stored in the right location and will not cross borders (if this is a requirement).
"Spend time with the architects of your cloud provider and have them demonstrate to you that their solution meets your business requirements. The risk of 'believing the brochureware' is too large to leave to chance. Have them demonstrate, document and sign off on your solution so that you are covered in the event of a breach in compliance that is out of your control."
Nick Delewski, managing consultant, security consulting, Spirent Communications
"The laws of math don't change. The law of the land does. Operating across borders and overseas has always been a complex legal proposition and cloud computing does little to solve that particular problem. Sometimes, it may be difficult to determine which government(s) even has jurisdiction over cloud operations. Be sure to get legal advice on cloud computing before jumping into the cloud(s)."
Jamal Elmellas, technical director at Auriga
"Your data could end up in any nation, and of particular concern is data ending up in a nation with minimal data protection legislation. This is what's commonly referred to as ‘data sovereignty' and there's been some real scaremongering over this concept but in reality this will be in the commercial terms, where the CSP details where the data may ‘live'. If not always ask for it in writing.
"The CSP market should be more open and upfront in terms of what they do and don't take responsibility for. Most customers would rather they knew what they were and weren't buying. And for this to happen there will need to be some form of standardisation or self regulation. There are already discretionary codes of practice such as the APMG CIF, which requires suppliers to lay out terms simply and clearly and we've seen this being mandated in the banking world. But will we see it in the Cloud? Maybe.
"For now, the organisation needs to perform its own due diligence. Look for a supplier who voluntarily signs up to these types of codes of practice. Consider also the CSP's reputation. How has the supplier managed security and compromises in the past? This is crucial in understanding how they will behave in a worst-case scenario. Establish where your responsibility starts and finishes, so you know what you should and shouldn't provide as part of your side of the deal.
"Also, know where your gaps are. For example, if the supplier cannot provide encryption for data at rest or certificate management, you know there is a risk there that you decide to open negotiations on or accept.
"Without knowing those risks, and ascertaining if they are acceptable, you may end up unduly pointing the finger following a compromise."
Paul Burns, Chief Technology Officer at TSG
"Understand ownership. This is often a complex area, especially when someone else is entrusted with your systems and data. You need to know they are following proper process, the basics like ISO 27001 should be a given, but find out how they security vet staff. Also, establish if your data carries specific restriction criteria.
"Consult your industry appropriate guidelines like the "FCA Guidance for Outsourcing to the Cloud" but more importantly, if you don't understand it, get a security partner that can guide you through the process. Ignorance is no defence for a data breach."
