Security – in, from and with the Cloud
Security is one of the hottest topics when it comes to obstacles of adopting cloud services. Maybe we theatrically should “tear this wall down”, de-dramatize it, without tearing the importance of good security down – because it is important!
No, there are several different types of security services related to cloud. Examples:
- Security within a cloud service which has another purpose than delivering security, for instance an email service. The security in this type of services is to protect your data from other people or systems, not being harmed by malware, backed up and the ability to be restored etc.
- Security as a Service delivered as a cloud service which you can adopt to your existing on-premise solution. Examples:
- SPAM and Malware protection
Audit tools/services who will audit the vulnerability within, to and around your cloud service (No. 1 & 2 above).
Consulting audit services. Pretty much like No. 3 but performed by humans and normally gives you a report how to act on a problem given by No. 3.
Fear = out of your control
The highest obstacle to pass is you. It’s you who have issues with letting someone else take care of your services and data – it’s out of your control. I admit this is a problem even for me. But either you give your kids the key to your house or you have to be there every time to open the door – regardless if you’re at home or not. I’m simplifying but either you adopt cloud or not, you have to let go of control.
Internet = a scary thing
Yes, the way to buy and reach services is normally from internet. The internet is a place where a lot of cheating and tricks exist and sometimes there are pure criminal act behind the screen. This is a problem and is probably the second highest obstacle to pass in your mind. But;
Professional CSP’s = your aspirin
Security is crucial to you. Security is crucial for CSP’s. I’ve been into this one several times, for instance in my post ‘Don’t blame the cloud’ (on inmaxmind.com) from which I quote:
“Being a service provider means being a pro of delivering services. Service providers will do everything to deliver a secure, available service – it’s a mindset.”
CSP’s deliver services to a lot (hopefully!) of customers. If “your part” of the service gets infected, attacked or corrupt this normally means; the CSP is infected, are under attack or having general problem with their service, which then means that all or a significant part of the customers of the service are affected = big TROUBLE for the CSP. CSP’s have to secure their services to be able to survive in a market which is heavily exposed to competition and audits. They must have (or should if title themselves as professional CSP’s):
- Redundant system and sites (more in continuity area but if one site goes down another one must be able to take over)
- Documented disaster recovery plans; systems will not solve disasters by themselves, customer has to be informed, SLA’s needs to be known and prioritized etc.
Adopting cloud services is about trust and let go of control.
Choosing a (public) cloud service is quite similar to buying other type of services and products. It normally differs from IT Outsourcing since you’re not negotiating price, terms and conditions, SLA etc: You choose capacity, SLA etc from a list, the price is calculated, and you accept terms and conditions. And here’s the key; before you accept T&C you should always:
- Don’t put all your eggs in one basket. If possible; use different Service Provider for different services.
- Don’t start with putting your most sensitive data in a cloud service.
- Make sure the CSP is a trusted provider with a great reputation – “Google that”, talk to people.
- There’s lot of forums and people who are willing to give you a trusted opinion. Sorry to tell you but; websites and references don’t necessary have to be true, even if they are well-known brand. Websites are for marketing. Sometimes they also are pure fake.
- Add a specific Cloud Security + User Policy to your Information Security Policy.
- Link the user policy and add a “how-to-use”-guidance to your handbook for employees and spread the information.
- Who’s responsible for the service? Who’s the “system owner”?
- This one can’t be too often repeated: Read the T&C
I just want to add one thing: never forget that you are the one who in the end is responsible of your data and security surrouding it. Never click on the Accept button and adopt a cloud service before you carefully know why and then when, what, how and from who.