make a good business better

Resource Center better insights

Print Divider Print Divider Branding
 

Security in the Cloud

01/23/2015  |  By: Thomas Lewis, CISSP, CISA, QSA, Shareholder, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

As featured in The Edge Magazine.

Remote IT storage offers easy access to data from anywhere, quick setup and scalability but also more potential for data breaches.

Cloud-based services offer companies convenience, including easy access to data from pretty much anywhere and quick setup. The services also save companies money in capital-infrastructure costs and operating expenses.

But relying on the cloud has its drawbacks and risks.

Thomas Lewis handles the security and risk-services practice for LBMC, a CPA and business-consulting firm. The Nashville-based company has an office and clients in Chattanooga, including EPB. Among its technology-security services, it helps clients decide on whether and how to get cloud-based services. In an interview with Edge writer Mitra Malek, Lewis describes the precautions that companies should take if they sign up for this new feature of the data-driven world.

What kind of cloud services are out there?

In one case, the cloud-service provider is giving you software. You're going to move your data into their application. That's probably the most common. There are also some that offer infrastructure and say: This is a server, and you can put your own application on it.

Why use cloud services?

So many large organizations are looking at cloud technology to help reduce costs and be able to go to market a bit quicker. Most organizations, when they normally start on their own, they're going to have some servers in a room and that will grow and turn into a data center. You have to have heating and cooling and things that take up a lot of capital and a lot of operating costs. What cloud companies say is: Look there's no sense for all of us to invest in heating and air system for all of this. If we could pool our resources together we could get some economies of scale and leverage that across multiple organizations. There is so much business pressure to save money in IT. But right now we don't have total costs of ownership over an extended period of time. Cloud-based services have become prevalent in the past two or three years. We might find that it's not that big. Some of the costs are associated with movement among cloud-service providers; there's a lot of people who change among cloud-service providers.

How much can a company expect to save?

A lot of it is the savings on the front end because there is no capital investment. For operating costs, the savings are probably 20 to 25 percent.

What are some of the things businesses should think about when considering going to cloud-based service?

Understand where your data is going to reside. If you know it's a domestic-based entity with data centers scattered throughout the U.S., we know if we have a breach, we're going to get cooperation from the FBI (or local authorities). Unfortunately, many are internationally based, so your data may be sitting in India or Indonesia or China or somewhere else. Many organizations share Cloud accounts among several users in the company. What happens if one of those employees leaves? Can he or she still gain access? Then what's the sensitivity of my data. If it's marketing information, it's probably not very private. If it's client lists, revenue, finances it probably is. Look at it from a risk-management sense to make sure the controls you're putting in place are appropriate given the level of risk. How is the cloud-service provider vetting employees. If it goes south, how do you get your data back? How do you get your data off their systems?

And what can a company do to protect itself if it uses cloud services?

Encryption prevents a lot of missteps. If you encrypt the data in transit and at rest, you have protected yourself. Any of your sensitive data, look for ways you can encrypt it. If it's sensitive data, you need to have an ongoing monitoring program. Sometimes it's just a matter of a report, for testing and validation. Other times you may want to do onsite testing and visits. We have some clients that once a year go to India.