Cloud computing providers require strong audits
“Auditing the cloud providers is something that needs to be done since you're essentially giving your data into the good hands of the providers,” Philippe Courtot, chairman and CEO, Qualys told SCmagazineUS.com Monday.
With 21 percent of decision-makers using software as a service (SaaS) and another 26 percent considering it, businesses increasingly becoming aware of the advantages cloud computing can provide -- including financial benefits, operational improvements and the ability to collaborate more easily. But this trend that has the industry buzzing is not without its concerns -- including the privacy of data in the cloud, implications of compliance and intellectual property issues.
The worst case scenario would be if you put customer data in the care of a cloud provider and they experience a breach, Chenxi Wang, principal analyst at Forrester Research, and author of the report told SCMagazineUS.com Monday.
“Who ends up in the headline news, and who ends up being responsible for compensating customers and picking up the pieces?” Wang said. “It's you, not your service provider.”
Businesses must implement an assessment strategy when utilizing cloud computing services, according to the report titled, “How secure is your cloud?” When turning to cloud computing, the function of IT security will morph into more of a compliance and risk management role, rather than security operations, Wang said.
Forrester interviewed people from a number of cloud service providers such as Google, HP, Qualys, salesforce.com, the Jericho Forum and Websense for the report. The report concludes that when assessing cloud computing services, the goal must be to find ways to secure and optimize your investments in the cloud. An assessment strategy must include data protection, compliance, privacy, identity management, secure operations, and other related security and legal issues.
With respect to data security, organizations must review the vendor's data protection techniques to ensure appropriate cryptography is used for both data in rest and in motion, and make sure the appropriate documentation is available for auditors. In addition, the provider's access control and authentication procedures should be reviewed, and companies should find out if third parties have access to the information.
Also, to ensure data security, companies should review the service provider's architecture to make sure proper data segregation is available and review their data leak prevention (DLP) deployment to prevent insider attacks, the report recommended.
Before utilizing a cloud computing provider's services, organizations also must conduct a feasibility study that engages legal, risk, and compliance officers to determine if cloud computing is appropriate with respect to laws and regulations the business is subject to. Next, organizations should determine which security, legal, and compliance needs are most important and find a vendor that meets those requirements, the report recommended.
When writing up a contract, organizations should ensure the vendor has the appropriate industry certifications to meet your businesses needs. Organizations should seek ongoing assurance that providers are compliant. As added assurance, organizations should consider using an unbiased third party to assess the cloud provider, the report recommended.
Courtot said a business must determine how sensitive the data going into the cloud is and how important security and privacy is. For data requiring the utmost security and privacy, organizations should request the ability to look at data centers and do a physical audit. Also, having the service provider supply regular reports is important. In addition, businesses should conduct regular penetration testing, Courtot said.