The use of cloud-based services continues to grow, as businesses are drawn to the prospects of lower costs and greater agility and scalability.
But it’s important to realize that many businesses — both existing and potential clients of yours — are still in the experimental stages of cloud computing.
Some of this reluctance is due to wariness of the risks associated with this new era of computing. According to a CompTIA study on security considerations, the top five cloud security concerns are:
- System downtime/business interruptions.
- Exposure or loss of data during file transfers to the cloud.
- Concerns over encryption of data (either transactional or at rest).
- Physical security of cloud service provider data centers.
- Shared technology vulnerabilities in a multi‐tenant environment.
As a commercial integrator and IT solutions provider, your interest in cloud security may range from evaluating security provisions as a potential consumer of cloud-based services to assessing the security preparedness of potential partners. Regardless of the role you intend to play, awareness of the questions to either ask or be prepared to answer is key to the success of your cloud-based proposition to clients. Following are five factors to consider.
Know the Concerns and How to Address Them
The biggest difference between a cloud solution and an on-premise solution is that control has been given to someone else: namely, the cloud provider.
Companies must review how they want to handle security, reliability, compliance and legal issues related to their cloud service; then they must carefully review the service level agreement (SLA) and discuss security with their cloud provider. Any gaps in the provider’s security coverage need to be addressed through changes in policy for the end user.
Build on the Trust … but Question It Too
Despite concerns, most cloud users report being confident or very confident (net 85 percent) in their cloud service provider’s security. A few notable incidents notwithstanding, this should be viewed as a testament to the quality of service offered by the major cloud providers and the support provided by IT solution providers. While confidence in cloud security is high, the level of due diligence reported raises the question of whether that trust is misplaced.
According to CompTIA security research, only three in 10 customers report engaging in a heavy and comprehensive review of the security policies, procedures and capabilities of their cloud service provider. Don’t be afraid to make inquiries about the cloud service provider’s encryption policies, business continuity and disaster recovery, data integrity and retention policies, credentials and regulatory compliance.
Know That Not All Data is Meant for the Cloud … and That’s Okay
Many organizations have no intention of putting certain types of data or applications into the cloud. Topping the list includes things such as confidential financial data, credit card data, and sensitive IP. For IT solution providers and cloud service providers, this should serve as a reality check.
Know Compliance Requirements … Your Own and Your Customers’
Organizations making the transition to the cloud may discover a security-related element that forces a change of plans. As the cloud model matures, some of these issues may naturally work themselves out, but in the shorter term, IT solution providers and cloud vendors can provide a valuable service in reducing the likelihood of these types of situations. In the longer term, third-party assessments of cloud service provider security policies, procedures and capabilities may become standard.
Appreciate That Business Managers Often View Security Differently … If at All
One of the most discussed aspects of cloud computing is its accessibility, even for users who have lower amounts of technical skill. An end user can start working with a software as a solution (SaaS) application by visiting a website and providing user credentials and billing information.
This represents a high-risk area for companies. Business staff who begin using cloud solutions outside the purview of those responsible for the IT environment may not be considering where data is being stored, what happens in case of an out-age, or how the cloud tool is integrated into other business systems.