Some cloud software and services are more secure than others and some areas of cloud security are more mature than others. But as long as you know which you can take steps to protect your data, as FSN writer Lesley Meall discovers.
Generalisations are usually a mistake; there are always exceptions. But it seems safe to state that the widespread uptake of public, private and hybrid cloud software and services and personal mobile devices means that there are more ways than ever before for your sensitive corporate data to end up somewhere you would really rather it didn’t. If you are reading this you are probably a CFO or FD or financial controller or some other sort of finance professional, so you are probably relatively cautious when it comes to data governance and security and sovereignty (this may well be another dangerous generalisation, but life is full of risks); your non-finance colleagues, it seems, must be less cautious. ‘A lot of organisations don’t consider issues such as data security or sovereignty until there’s a problem,’ says Rob Rachwald, ‘because when they go into the cloud they think they can forget about hardware and software.’
As Rachwald is director of security strategy with the security specialist Imperva you could regard this assertion as self-serving, and it may be, but this doesn’t make it any less valid – and he is not alone in his concerns about cloud data security. Analyst Guy Creese recently generated more than a few column inches when he told attendees at the Gartner Catalyst conference that many cloud software applications (aka software as a service and SaaS) were still metaphorical teenagers who needed to mature. Apparently, whilst some SaaS vendors provide acceptable levels of physical and logical security for data in transit, in storage, and at the point of access, some do not, and although cloud security is improving, it is doing so in ‘fits and starts’ and there are some areas where data security remains relatively underdeveloped.
According to Creese, many vendors of SaaS apps still have some way to go when it comes to federated identity. If you are wondering what this is, it’s the means of linking, authenticating and authorising a person's electronic identity and attributes, despite them being stored across multiple and distinct identity management systems – such as ‘on-demand’ software and services and the enterprise platforms behind the corporate firewall, for example. He says: ‘Some SaaS systems are only just starting to offer support for SAML,’ despite the ‘security assertion mark-up language’ being a standard protocol for ‘federation’ that has been around for almost a decade. Gartner has been getting feedback from enterprise that when they ask SaaS vendors if they support SAML, many don’t and some don’t even know what it is.
Another area where a lack of ‘federation’ leaves something to be desired is the removal of permissions etc (aka off-boarding) from SaaS applications, and according to Gartner, when employees leave a company it can struggle to revoke both their cloud access and their corporate network access at the same time. Despite all of the hype and heavy selling of data security in the cloud (their security procedures tend to be better than those at the average small business, don’t you know), it seems that most applications in public clouds are still not as secure as applications running on your own servers, inside the enterprise, and nor is the data associated with them. So what can organisations that are already using cloud services or want to use them in the future do to protect their data – and their reputations?
Well there is good news and bad news. ‘There is no consistent framework that the industry has agreed on and which can be used to compare and contrast the different security offerings,’ says Chenxi Wang, a VP and analyst with Forrester Research. This may be unavoidable in an area that is growing and changing as fast as the cloud is; it may not. Where there’s a will there may be a way. Meanwhile, users and prospective users of cloud services are left with the complex and time-consuming job of evaluating each provider’s security on a case-by-case basis. Fortunately, there are some steps that organisations can take to simplify the process of assessing the data security of cloud service providers and prospective service providers.
- Think local. Find out where your data will be stored and check physical security and personnel procedures – not easy when cloud service providers use other cloud service providers that use other cloud service providers.
- Check compliance. Do all links in the cloud chain comply with relevant legislation such as the Data Protection Act and Sarbanes – you can delegate the practicalities of compliance but not the legal responsibility.
- Establish liability. What is the legal position if something goes wrong in the cloud? Where does liability fall if your data is destroyed, hacked or stolen? Reading the read the fine print in contracts is vital as FSN outlined here.
- Assess policies and practices. Are the service provider’s at least as good as your own: from background checks on personnel to disaster recovery planning – and update internal security policies to include use of cloud services.
- Consider access control. How secure is it? Does each user have a discrete ID? What about audit trails? Is access control federated or will you need to manage this separately.
- Plan ahead. What is going to happen to your data at the end of your contract term or if the relationship ends for some other reason – such as the cloud vendor going out of business.
- Factor in failure. How will respond if events such as these or other types of system or procedural failures occur. Will you be notified? How will you be notified? When will you be notified? What recourse do you have?
- Think mobile. Review your mobile needs for today, tomorrow and in the longer term. If you are struggling to provide support for mobile devices, is your cloud service provider doing any better?
- Do your homework. Research and read-up on how cloud security is handled so that you can ask important questions and make an informed choice – and compare the data security offered by different public cloud providers.
- Count the cost. Assess how much work you will need to do to bring the security of cloud software, services and data up to the level you usually require and then work out what this is going to cost.