It seems that technology is taking faster and faster developmental steps. In just over 220 years we have gone from reading flags on hilltops to having mobile telephone technology integrated into our sunglasses. Computing in the cloud is simply another adjustment we are making on the steep trajectory of technological development.
Whether you are transmitting information with flags or doing business in the cloud the problems of data security still persist. These are:
Cloud computing provides benefits and threats across these which must be carefully considered. The Defence Signals Directorate (Australian Government Department of Defence, Cyber Security Operations Centre, 2012) recommends that a careful risk assessment is undertaken prior to embracing the new technology.
Using the data security considerations as a framework, what are the broad risks you need to review before computing in the cloud?
Risks related to the availability of data include:
• Vendor availability – storing your data and applications on someone else’s infrastructure automatically exposes you to the risk of loss of availability should that infrastructure become unavailable.
• Access availability – your ability to access the cloud will depend on two basic considerations: the reliability of your internal hardware (be it a personal tablet or smart phone or thousands of workstations across multiple sites) and the reliability of your internet service provider.
What to do
Before engaging a vendor do some research to ensure that they have processes in place to provide you access to your data and applications. This may include standard practices like back up “hot” sites to ensure that natural disasters and human intervention don’t put them and you out of business.
Also research your internet service providers and your hardware. Benchmark your provider and hardware on performance and reliability and choose the products and services that can demonstrate the best reliability of service.
• Unauthorised alteration – if you do not have direct control over your data and applications you can’t be sure that it isn’t being purposefully altered for various reasons. This could be motivated by a range of factors from “hacktivism” to simple mischief but the end result is the same – the data you have is no longer the data you stored.
• Unintentional alteration – data corruption can occur for any number of reasons but most often it is tied to errors occurring during the writing of data.
What to do
Controlling unauthorised access to your data and applications will rely on two main considerations, the vendor’s internal security processes and your own access control processes.
As discussed above your review of the various vendors must include their internal assurance processes to both prevent unauthorised access from outside and prevent the introduction of human security threats into their organisation.
Access control systems obviously also provide an important level of security for your data and should focus on multi factor authentication but should not be so stringent that it discourages use or encourages poor security practices (like writing down passwords).
Preventing data corruption comes down to ensuring that the hardware and infrastructure is of a suitable quality to begin with, is well maintained and regularly upgraded to keep pace with development and limit the risk of failure.
• Theft – if the data you are storing in the cloud is sensitive or valuable then it will always be the target of theft either by internal employees of the vendor or outside attackers.
• Transmission – a large component of “hacktivism” is the transmission of sensitive or embarrassing information across the internet.
What to do
As far as possible ensure that the data you place on the cloud is nonsensitive. This obviously dilutes the effectiveness of using the cloud to provide storage and access for business resilience purposes however.
As discussed above the authentication and access control systems that you use must also be up to the task and when choosing vendors you will need to look at their internal controls in this regard also.
Just as with any new technology or activity a sound approach is to identify and assess the risks before diving onto the bandwagon. A simple approach such as that used in this article provides a starting point but there is a wealth of resources available to guide you in one of the most important of personal or business decisions you may ever make – letting someone else guard your data.
Author bio: Zac Grace is a tech, marketing and SEO blogger working in the IT industry for the past 7 years. His work mostly revolves around SEO, but his interests do not end there. This article was written with kind help and resources from Ninefold Cloud Experts. You can connect with Zac on Twitter and Google+.