CONTACT . May 20, 2012
< e-Newsletter home   |   Recommend SSC Security Matters to an associate   |   All content © 2011

SSC Security Matters

Cloud Computing: Five things to consider
by Gerard Johansen, CISSP

Reduced budgets for IT projects, expansion in bandwidth, and the readily available resource provided by third parties are the norm for businesses today. These factors have caused an increased focus on outsourcing information technology functions. The end result is that many enterprises are moving their data and operations to the “Cloud”. While Cloud Computing offers a number of benefits, managers and business leaders must be fully aware of some of the risks involved with moving data or operations to "the cloud".

What is Cloud Computing?

Cloud Computing or simply “the cloud” is use of a third party for data storage, archiving, processing power or an infrastructure on which to build an organization’s networking capability. Cloud Computing has been around awhile and most users are already familiar with such cloud based services as Internet Email or applications such as GoToMeeting™ or Salesforce.com.

Cloud Computing goes much farther in the services offered than just applications. It seems that every day there are new services offered by a myriad of companies. These services enable businesses to move faster, make better decisions and reduce costs. While there are significant benefits to Cloud Computing there are risks associated with it as well. Many of these risks can be reduced with a little homework and addressing some of the issues associated with Cloud Computing. Some areas to consider are:

  1. Selecting a Provider: You would not go to a service provider without knowing who they are and how they do business. The same goes for your Cloud Computing Service provider. Just like any other business, there are well established enterprises with a solid track record and there are those that have just started out and have not established themselves yet. Some providers have a reputation for shoddy service or worse. Making an informed decision is based on the information that you can get.A good Due Diligence search would provide you with information related to the company’s UCC filings, pending or adjudicated civil cases, bankruptcies, and in many cases revenues for the past year. In addition, checks on principals and senior leadership of the provider will give you an idea of past associations and attitudes on issues affecting your decisions.

  2. Scrutinize the Service Level Agreement: Often times Service Level Agreements (SLA’s) are tilted in the favor of the provider. A wide range of issues as diverse as downtown to ownership of information is contained within the SLA. Managers need to carefully review the material to ensure that both their information is protected and the business protects itself in the event of an unforeseen outage or data breach.

  3. Your Information: Once a review of the SLA and a due diligence investigation is conducted, then the tough questions need to be answered. Specifically, where is the data kept and who is allowed access to it. Many times, Cloud Service Providers retain the option of moving your data to offshore operations. Many times this is done without your knowledge. Some providers will shift the data from a domestic location to an international location because of space factors or a new client that needs their data to be contained within the United States. Moving data off shore exposes your business to a number of concerns such as legal issues related to data security, as well as political instability in some regions where off shoring is common. In addition to location, who has control and access to the information is an important consideration. Again, you are relying on the provider to screen employees and monitor their behavior. Insiders pose a significant threat to businesses in the United States, but turning your information over to individuals in foreign countries can significantly increase your business risk.

  4. Security: You take great pains and invest resources in securing your data from external threats. The question then becomes, does your Cloud Service provider take the same steps. The law has also weighed on the issue of security. Although your business is no longer has custody of the information, your business does have control of the information. In the eyes of the courts, data breaches that release PII do not make the Cloud Computing provider responsible, it makes you responsible. Certifications such as ISO 27001 and SAS 70 provide a baseline for providers in terms of securing your information. Making this information available to you for your review will make an informed decision easier. In addition, having a clear idea of what security measures and disaster recovery plans are in place impact greatly on the selection of Cloud Computing Service providers.

  5. Legal Issues: The litigious nature of business these days, if you haven’t been sued, it will probably be right around the corner. Litigation related to employees, intellectual property, policy violations, and contracts often involve electronically stored information. Organizations that outsource data storage or e-mail archiving need to address the legal issues with providing that information during legal proceedings. Courts across the country have ruled that although the information is in the possession of a third party provider, it is still the responsibility of the client business to be able to provide access to those materials during a proceeding. Having issues related to discovery worked out beforehand will minimize the additional stress needed to comply with a court order.

Cloud Computing is an exciting new step in the use of technology as a business enabler. The costs reduction and scalability of Cloud Computing represents a major benefit to business. Just as any other technology in use today, there are risks associated with adoption. Businesses should look to identifying and addressing these risks before signing up. Having the proper information and understanding of what Cloud Computing means will go a long way to making the right decision.

Gerard Johansen, CISSP is the Manager of Information Assurance at SSC, Inc. He is responsible for creating and implementing cost effective technology risk solutions. He is a member of the ISSA and Cloud Security Alliance.

© 2011 SSC, Inc.

Experienced, pro-active, and dedicated to your business.  Contact SSC for a confidential Security Consultation.  Our e-Newsletter: SSC Security Matters.