Security in the cloud

The Bunker was recently asked to comment upon the growing trend of Cloud.  Before considering Cloud computing providers, we recommend reading the following extract:

Cloud, from The Bunker’s perspective, has a number of security issues users need to be aware of. Here are some of the specific security queries we suggest customers should raise:

Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the “physical, logical and personnel controls” IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. “Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access”.

Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are signaling that customers can only use them for the most trivial functions.

Data location. When you use the cloud, you probably won’t know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers.

Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn’t a cure-all. “Find out what is done to segregate data at rest”. The cloud provider should provide evidence that encryption schemes have been designed and tested. “Encryption accidents can make data totally unusable, and even normal encryption can complicate availability”.