Securing the Cloud, Your Virtual Storage Shed

Posted 2013-06-18
cloud security

By Ron Woerner

Cloud computing is quickly growing in popularity. The idea of a virtual storage shed to house all your data and documents is turning into one of the best resources for companies because it provides efficiency and economy of scale.

One of the biggest concerns is how to protect that storage shed and ensure that the information it contains will remain accessible solely by people authorized by your company. You cannot guarantee that a cloud provider will never be breached—just as you can never guarantee that your company won’t be breached.

Therefore, security and IT professionals must take time to research cloud providers, asking intelligent questions to help find the best fit for their organization's needs. In fact, spending time and money on research should be a top priority before choosing a cloud provider. 

Determining the level of comfort you require depends on understanding the risk level of the information that's going to be stored. The most efficient way to accomplish this is to develop and use a security questionnaire that you give to cloud providers. Some important questions to include are:

· Who will have access to our information?

· How can we change access rights—and how quickly can that happen?

· How will our data be encrypted?

· Whose responsibility is it to encrypt the data? 

· When was your company's most recent assessment? 

· Who did the assessment? 

Luckily, many organizations specialize in putting together these types of questionnaires. A couple of my favorites are the Payment Card Industry Data Security Standards (PCI DSS) Council and the Cloud Security Alliance (CSA). The former has been around for years and is widely accepted (even by companies that aren’t worried about protecting payment information).

The CSA is composed of IT and security professionals from around the world who specialize in cloud services. On its Website, the CSA offers a complete matrix that breaks down questions to ask, along with what the answers mean. It's important to research each methodology to determine the best fit for your organization.

After formulating the questionnaire, either on your own or using an option listed above, you should send it to potential cloud service providers. Have them do a self-assessment first and then do your own research to see whether your answers match up with theirs.

While it may not be feasible to follow up with an in-person visit, in most cases, a telephone discussion with the vendors about their answers can provide the same due diligence. Also, be sure that you are talking with actual members of the security and IT teams, rather than salespeople. It is vital to get the information directly from the professionals who manage and work with the systems in order to compose a contract with defined policies. 

Incorporating Mobile Devices

In addition, don’t forget to incorporate another growing trend—mobile devices— into your policies and security development. Although many people want to use whatever mobile devices they have—including smartphones and tablets—employers need to be cautious of the additional risk associated with the virtual storage network and these mobile devices.

On one hand, this is where the cloud is very beneficial: Users can connect any time, from anywhere, using any device. But what happens when employees use a personal cloud service to store work information? A security professional needs to be involved from the beginning, writing the correct policies and having them in place, enforcing those policies and ensuring that appropriate steps are followed in every situation by all employees.

Many companies are still coming to grips with these mobile devices, knowing that the data has to be secured on both ends. While the bring-your-own-device trend may be the wave of the future, security professionals are going to have to ensure that proper policies are written and discussed prior to moving to a BYOD environment.

Taking time to understand all the different aspects of cloud computing may be overshadowed by the final point: the need to understand the legal system and contracting. Security professionals need to understand exactly what is covered by the contract and what exactly is written in the contract with the cloud provider. They need to understand the level of security provided by the provider and be able to verify and audit the level of security to ensure that a hole has not been opened to the outside world.

In a worst-case scenario, the security professional needs to know and understand the cloud provider’s policies and practices if a security breach occurs. To make this scenario work, it is vital for the security pros to be involved in creating the contract. They need to be the ones talking with the providers, negotiating the appropriate levels of security, and ensuring they are comfortable with the information.

As with any developing trend, cloud computing has pros and cons. While there is always a chance of a security breach or loss of information (which is more likely to be prevented if your security professional is proactively involved), the benefits of cloud computing far outweigh its risks and costs.

Protecting the information you are storing in a cloud is just as important as locking a physical vault, so taking the appropriate steps to ensure you have the proper level of security that will help protect your company from breaches and losses. And those steps must include taking the time to investigate cloud providers, asking the right questions and putting together effective security policies.

Ron Woerner is the director of the M.S. Cybersecurity program at Bellevue University and has 20 years of corporate experience in IT and security. He is a certified information security professional (CISSP) and a certified ethical hacker (CEH).