With the RSA Conference taking place last week, bringing together movers and shakers to discuss the latest and greatest cloud security issues, it got me thinking about how perceptions of cloud security have progressed. 

Over the last couple of years, we’ve seen a real shift of cloud adoption in enterprise and government.

Houses of analysts are predicting huge uptakes of the cloud over the next 12 months. Gartner named cloud computing as one of the top tech trends for 2013. IDC predicts this year’s IT spending will exceed $2.1 trillion, driven by growth in mobile, cloud, Big Data, and social technologies. Clearly, cloud market is maturing, and cloud security issues and fears that hindered uptake yesterday are now washing away.

But not all cloud services are created equal. When you’re looking for a cloud provider, you have to be absolutely certain that you’re picking the best fit for your organization. So how do you accomplish this? Ask your potential cloud supplier the right questions.

Top 5 questions you must ask about cloud security:

1.  Which audited information security standards do they comply with?

The obvious one here is ISO 27001, an international information security management standard that covers the three key aspects of looking after your data: confidentiality (it doesn’t get into the wrong hands), integrity (it doesn’t get corrupted) and availability (you can access it whenever you need to). An organization that has an ISO 27001 certification has passed a rigorous audit, covering not just current controls, but ongoing monitoring and incident management. An organization’s security is only as good as its weakest link; and data center access controls won’t help if an outsider can just turn up at the company’s headquarters, plug into the corporate network, and access the data center that way. SAS 70 Type II and its replacement SSAE 16 are often touted by vendors as security standards, but beware: they are not. These are auditing standards to check that the company is following its own controls, and that these controls meet the stated objectives. Of course, this is not much use without knowing what the objectives and controls being audited actually are. They may have nothing to do with keeping your data safe, so you should ask to see the report.

2.  How does your potential cloud supplier perform against their SLA (if they have one)?

Availability is a key part of information security and is often a concern for IT departments that are moving applications into the cloud. A competent cloud provider should be able to offer better uptime than your own internal systems can achieve, as well as a Service License Agreement (SLA) to back up this promise. But bear in mind: no SLA payout can ever fully compensate you for loss of access to key information when you need it. More important than the compensation promised in the SLA, is the historical performance against that SLA. How transparent is the supplier on this? Is there somewhere you can go to check real-time performance against the SLA? So how does Huddle compare? View Huddle’s uptime now; it’s been 100% over the last 90 days, which exceeds our SLA.

3.  How bulletproof is the application itself? And how do they know this?

In the corporate IT environment, firewalls keep outsiders out and the content in, limiting the damage that may be caused by poorly written applications. In the cloud world, the apps are (necessarily) internet facing, so baking application security into the development process is absolutely essential. Sony Pictures’ infamous loss of users’ passwords (back in 2011) came down to an SQL-injection attack, which is a very basic application weakness. A good vendor codes defensively against XSS, XSRF, SQL-Injection, and other attacks. Vendors should also be commissioning regular penetration testing, using a determined external party (not just automated tools) that tries exactly what a skilled hacker would do. Test automation is also a vital part of application security. Full test automation means that every part of the application is tested by a suite of scripted tests before any new version is released—preferably every time any developer makes a change. This is crucial to prevent cloud security issues before they surface.

4.  What data backup and disaster recovery arrangements do they have in place?

Your data is precious, so make sure your supplier is keeping it safe. They need to replicate the data to multiple locations, in case of hardware or complete data center failure occurring on one site. Vendors also need to keep generational copies (previous versions) of the data to avoid data corruption or accidental deletion. They should also be able to survive a disaster scenario—the complete failure or destruction of a data center—and continue to provide the same service with little or no disruption. We always talk about a plane landing on the data center—which is pretty unlikely. But I know a data center that lost power for 36 hours due to a fuse problem that no one could trace.

5.  Where will your data be stored?

While cloud computing is eroding the relevance of the corporate firewall, it has yet to lead to global, legal uniformity, so the legal jurisdiction in which your data is stored will continue to be important. The right answer to this question will depend on your circumstances. Right now, European data protection laws have the most rigorous requirements for personal data security. Safe Harbor is a program whereby US-based companies sign up to practices that Europe-based companies are compelled to follow by law anyway. The Patriot Act comes top-of-mind, with increasing frequency, by organizations preferring to keep their data beyond its legal reach.

With all the security protocols Huddle puts in place, concerns around cloud security issues shrink to nonexistent.  Learn more about Huddle’s enterprise-level security and reliability.

Jonathan Howell


Request a Demo

© 2006 - 2019. All Rights Reserved.