Cloud adoption has been growing over the last couple of years primarily driven by cost reduction and speed of adoption. However, according to a survey performed by KPMG, the top barriers to cloud adoption remain to be related to security and compliance. Data security is projected to remain the most important SLA parameter in 3 years. Fundamentally, the data and network security is about three control objectives i.e. confidentiality, integrity and availability.
Know Where Your Data Lives
Being able to know where your data physically, goes a long way to establish your cloud security and risk assessment. Some cloud providers could have data centers in international locations and which may be subject to laws and policies of that jurisdiction. The data center location is also critical in evaluating latency impacts on your application that you are communicating with. International data centers often suffer with reduced latency that may pose a risk for your business applications on the cloud.
Have a Disaster Recovery and Business Continuity Plan
In 2009, a lightning strike triggered Amazon EC2 outage and the cloud services were offline for about 4 hours as an aftermath. Data backup and availability are critical and one of the main challenges facing the service providers. Take a long term view on your hosting services and make sure that you backup your data at appropriate times to ensure that the customer data is not lost. Understand the risks associated with data availability and disaster recovery issues that may impact your business. Big companies have lost their data due to improper backup procedures and it is one of the growing concerns for moving your services on the cloud.
Understand How Your Data is Protected
Understand and solicit clear information around how your cloud service provider protects your data with encryption and firewall security. Encryption is a must-have on public cloud SaaS solutions and need to be secure and encrypted. Cloud computing resources should be sheltered with a mandatory inbound firewall. Devise plans for how you are going to monitoring network attacks or hostile system activity even if you are on the cloud. You are only going to be able to understand the sufficiency of your security if your cloud provider is willing to disclose their security practices. Some providers treat the security practices as confidential which can become more challenging.
Third Party Audits: Service Organization Control Reports
Curious if your provider is serious about security? Research to see if they have been audited by third parties to build trust and confidence with the customers. In February 2013, Cloud Security Alliance (CSA) released their position paper stating the purpose of SOC 1 and SOC 2 reports for cloud service providers appropriating SOC 2 as the de facto standard for cloud security. SOC 2 audits conducted in accordance of AT 101 cover controls relevant to security, availability, processing integrity, or privacy. In 2013, the number of data centers and CSPs which underwent a SOC 2 attestation increased by 100% YOY from 7% in 2012 to 14% in 2013. Aside from SOC 2, PCI Compliance, HIPAA Compliance and ISO certifications are important indicators for dedication your cloud service provider has for security.
Hassan Sultan is a partner at Reckenen, which provides accounting and assurance services to privately held companies