Securing the Cloud, Your Virtual Storage Shed

By Ron Woerner

Cloud computing is quickly growing in popularity. The idea of a virtual storage shed to house all your data and documents is turning into one of the best resources for companies because it provides efficiency and economy of scale.

One of the biggest concerns is how to protect that storage shed and ensure that the information it contains will remain accessible solely by people authorized by your company. You cannot guarantee that a cloud provider will never be breached—just as you can never guarantee that your company won’t be breached.

Therefore, security and IT professionals must take time to research cloud providers, asking intelligent questions to help find the best fit for their organization’s needs. In fact, spending time and money on research should be a top priority before choosing a cloud provider. 

Determining the level of comfort you require depends on understanding the risk level of the information that’s going to be stored. The most efficient way to accomplish this is to develop and use a security questionnaire that you give to cloud providers. Some important questions to include are:

· Who will have access to our information?

· How can we change access rights—and how quickly can that happen?

· How will our data be encrypted?

· Whose responsibility is it to encrypt the data? 

· When was your company’s most recent assessment? 

· Who did the assessment? 

Luckily, many organizations specialize in putting together these types of questionnaires. A couple of my favorites are the Payment Card Industry Data Security Standards (PCI DSS) Council and the Cloud Security Alliance (CSA). The former has been around for years and is widely accepted (even by companies that aren’t worried about protecting payment information).

The CSA is composed of IT and security professionals from around the world who specialize in cloud services. On its Website, the CSA offers a complete matrix that breaks down questions to ask, along with what the answers mean. It’s important to research each methodology to determine the best fit for your organization.

After formulating the questionnaire, either on your own or using an option listed above, you should send it to potential cloud service providers. Have them do a self-assessment first and then do your own research to see whether your answers match up with theirs.

While it may not be feasible to follow up with an in-person visit, in most cases, a telephone discussion with the vendors about their answers can provide the same due diligence. Also, be sure that you are talking with actual members of the security and IT teams, rather than salespeople. It is vital to get the information directly from the professionals who manage and work with the systems in order to compose a contract with defined policies.