make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Cloud computing is convenient but poses risks

05/07/2015  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

As featured in The Tennessean.

Just like a real cloud in the sky, the cloud that is hovering over the IT world can be a thing of beauty. It offers easy access to data from anywhere, quick setup and scalability.

But just like the real thing, the cloud can also produce a lot of rain in the form of data breaches and other unforeseen business disruptions. A recent survey found that 75 percent of IT decision-makers are "extremely anxious" about security issues stemming from use of the cloud.

Cloud service providers who have had service disruptions that in some cases may have involved security incidents include some of the biggest names in the business, including Google, Amazon, Microsoft, Oracle and Intuit.

Among the things to be concerned about:

  • While software as a service makes it easy to access business applications and relieves companies of running software on their own servers, it carries risks as well. Transparency often is low. Do you know where your SaaS provider keeps your data or what security measures it employs?
  • Data centers can be anywhere. Would you feel secure, for example, if you knew that your sensitive data was sitting on a server in China? Would local law enforcement be responsive if there were a breach? Would U.S. law enforcement have any influence or be able to gain cooperation with local authorities?
  • Encryption often is not utilized. If properly implemented, encryption can greatly limit the damage from a data breach because the information is not usable for the intruder.
  • In many cases, data is stored on shared infrastructure. The question must be asked, are there strong enough barriers between your company's information and that of another organization located on the same server?
  • Service hijacking. Many organizations share cloud accounts among several users in the company. What happens if one of those employees leaves? Can he or she still gain access?

So what can a company do to protect itself? Here are some suggestions:

  • Know where your data lives. Every organization must be able to clearly identify the flow of its data with all third parties that come in contact with it.
  • Use strong authentication for access to the cloud service. Multi-factor authentication is best, which means that a password alone is not sufficient. Another form of identification is required, such as a fingerprint, a token (a physical device that generates a code that is entered on the machine) or the answer to a secret question.
  • Ensure that you have a good understanding of the cloud provider's control environment and that those controls align with your own. For example, how do they vet their employees? Who potentially can have access to your information?
  • Find a way to gain assurance about the risk security provisions taken by your provider. This can be accomplished in several ways, including obtaining Service Organization Control (SOC) reports or conducting on-site assessments based upon the risk of the Cloud service provider to your organization.
  • Encrypt data, both in transit and at rest, whenever possible. Encryption, when done well, will cover a lot of security sins.

In another installment in this series, we discuss how to contract with a cloud service provider to make sure you are protected.

Sese Bennett is a senior manager in the Information Security practice at LBMC, one of the largest professional services firms based in Tennessee. Contact him at sbennett@lbmc.com or 615-309-2420. LBMC is a FedRAMP Third Party Assessment Organization (3PAO).

Publication

The Tennessean

Services

Industries