Security or the lack of it is one of the key factors holding businesses back from using cloud computing more. This brief article summarises the top cloud computing security risks and outlines ways to offset or minimise them.
The top security risks of cloud computing include:
- unauthorised access to cloud data and software applications
- personal information held by cloud computing vendors open to abuse, or exposure
- user names, logon ids, passwords stolen and then misused
- using a remote third party to process sensitive corporate data
- unreliable or poorly protected vendor infrastructure
- unscrupulous cloud computing vendor
- concerns about the internet connection to access the applications and data
- compromised PC, laptop, mobile or other computing device (used to access the cloud application and data)
Ways to offset or minimise the security risks of cloud computing include:
Being cautious and vigilant when choosing your vendor:
- consider the ‘big names’ with solid reputations, rather than unknown vendors
- check out their security arrangements in detail
- review their guarantees for service availability
Check whether the cloud computing vendor adheres to the latest security:
- standards / certifications including ISO 27001, SAS70
- technologies and techniques
Find out how the vendor manages its customer’s data and applications eg:
- what do they do to segregate and / or encrypt data?
- do they outsource? to which countries / jurisdictions / data privacy laws and whether they adhere to the local privacy laws?
- do they use third parties? if so, who is involved and what for?
- who has what access, to the data and applications?
- do they have multiple offsite backups? what are the disaster recovery plans and how regularly do they test these?
- how do they manage security when they have software upgrades?
- what would happen to data and software applications, if the contract was terminated or if the vendor went bankrupt, or was taken over?
- do they allow external audits of customer data?
- what exception reporting is carried out? do they allow investigations for unusual or inappropriate activity?
Consider a hybrid or private cloud solution, rather than using a shared cloud service.
Obtain an independent third party ‘security assessment’ of the potential cloud vendors.
In addition, there are things you can do yourself, within your organisation to help offset or minimise the risks of using a cloud computing solution, such as:
Having a ‘cloud computing’ policy or statement, setting out how you are plan (or not) to use cloud based services. It could specify what systems, processes and data you would consider operating on the cloud, and issues to be resolved, before using or extending the use of cloud services.
If you are already using cloud services, make sure your employees safely access their data and services. Security-based actions include:
- using the latest firewalls, antivirus, anti-spy, operating systems, browsers, malware protection
- maintaining regular local data backups
- user education such as using strong passwords (which are carefully protected and regularly changed), logging out after use, not opening suspicious emails
- reviewing the internet access and security of employee’s mobile devices and any equipment, they have at their home, which they use to access the company’s systems
- good encryption for wireless devices
- carrying out regular audits of your organisation’s security and implementing actions identified
- banning the use of USB memory sticks, CD’s, DVD’s which are all too easily lost (as there should be no need for them with cloud services)
Security remains a major risk for cloud computing and at present is some way from being fully resolved. Therefore, if security really matters to you and your organisation, currently you should not take any chances.
For more cloud computing information, visit: Cloud computing pros and cons or visit: Accounting software trends / CRM software trends / HR software trends / Payroll software trends / Software vendor consolidation