Managing cloud computing security requires planningPosted On: Jan. 15, 2012 12:00 AM CST
More businesses are using cloud computing as a means to cut costs, but planning is an essential component of protecting company data, experts say.
To minimize the risks inherent in data being held remotely by third parties, companies should carefully investigate potential cloud providers, provider contract language, what data is stored in the cloud, where the data is actually located and with whom the virtual space is shared, observers say.
Cloud computing essentially involves using remote services to process, manage and store data.
Gene Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security in West Lafayette, Ind., said not everyone should go into the cloud “because there are risks that simply can't be completely mitigated.”
But many observers say when properly implemented, the cost efficiencies generated by cloud computing can more than offset its inherent risks.
“Make sure you fully understand the risks and understand the relationship with the cloud provider and with the contract that you're entering into with your cloud provider,” and that the risk manager, attorneys and technical experts are involved, said Hartford, Conn.-based Tim Francis, enterprise cyber insurance lead for Travelers Cos. Inc.
One critical factor is the data that will be put in the cloud.
Chris Barbier, director of technology services at consultant Smart Devine & Co. L.L.C. in Philadelphia, said it's essential to make “sure you know what data is going to be stored, and how that data needs to be protected.”
One option is to retain more sensitive, personal information.
Mark Camillo, vp of professional liability at Chartis Inc. in New York, said a retailer, for instance, may decide to put its catalog on the cloud but use its own website to process transactions.
Certain data subject to state or federal regulations may have specific security requirements, said Michael R. Overly, a partner with law firm Foley & Lardner L.L.P. in Los Angeles.
Encryption can help protect the data that is placed in the cloud, assuming the encryption key is not stored on the same server, said Tom Srail, Cleveland-based senior vp of FINEX North America at Willis North America.
“You want to assess the competency of the vendor, their professionalism, their history, the business, the number of satisfied customers—like you would any” service provider, said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C. “You want them to take reasonable amounts of responsibility for any mistakes.”
Organizations need to make certain that a provider's security protocols are “no less rigorous around data privacy” than the organization's, said Greg Leffard, Simsbury, Conn.-based vp of professional liability for The Hartford Financial Services Group Inc.
Larry Collins, New York-based managing director and head of e-solutions at Zurich Services Corp., said cloud computing represents an “enormous improvement in security” over that of individual firms. “Having said that, cloud infrastructure is like a fortress with three walls,” because users have to come in and out.
Be sure the cloud provider complies with recognized security protocols, said Kevin Hunter, Owings Mill, Md.-based chief architect information technology for Zurich North America. “Even the small providers typically invest enough” to meet those certifications, he said.
However, Richard L. Santalesa, Fairfield, Conn.-based senior counsel at Information Law Group, said he anticipates greater focus on audit certifications by third parties with regard to security. Such focus “has not moved to the level” he said he hopes it will this year.
Do not hesitate to ask for detailed information on security “so you can gain confidence your data will be protected,” Foley & Lardner's Mr. Overly said. “What kind of responsibilities are they willing to take on?” If companies find their providers are dragging their heels on providing security data, “then I think you need to be concerned.”
While a business wants to be certain that its data is secure, “there are also business risks,” said Sandy Codding, Boston-based leader in the U.S. commercial E&O advisory practices of Marsh Inc.'s FINPRO unit. “Will the data be available when you need it? Will it be available as fast as you need it?”
Observers warn, though, that there may be little room for negotiation with cloud service providers about their security.
“Unless we're talking about a very large transaction, generally most agreements are relatively non-negotiable,” said Mr. Overly. Cloud service providers are set up so as “to provide one service in a cost-effective manner,” and that cannot be achieved by addressing each customer's unique security requirements, he said.
Another contractual issue is legal and regulatory obligations.
Veronica Somarriba, Whitehouse Station, N.J.-based senior vp and worldwide technology manager for Chubb Commercial Insurance, said if information is transferred to a cloud provider and there is a breach, the cloud user may have to provide notification under the contract.
“You want to be sure you have the protection to repatriate the data should it be required by an attorney general or subpoena” or as a regulatory requirement, said Alex Ricardo, New York-based director of breach response services at Beazley. In some cases, “it could be problematic for the insureds to get those back, depending on where the provider sits.”
Most cloud providers have multiple data centers and a client may not know where data from their business is stored, although this can be important, said Mr. Overly. Financial services firms for instance, must conduct due diligence as to where sensitive data is located, he said.
Cloud services providers also may have data centers in the U.S. and abroad, and moving highly sensitive data across borders can be an issue, Mr. Overly said. European Union regulations, for instance, are “very strict” on this issue, he said.
The issue is not well-understood, he said. In addition, questions remain about electronic discovery in litigation cases, he said.
The availability of data if there is a catastrophe, if the cloud service provider goes out of business or if the user decides to switch cloud service providers also are concerns.
“What happens if, a few years from now, you decide to essentially use another vendor” that offers a better price, said Shawn Ram, San Francisco-based national technology practice leader for Aon Risk Solutions. “What is your exit strategy? How do you get your information out of one particular cloud and into another cloud?”
Firms also must be concerned with what happens when something does go wrong, Mr. Srail said. “Doing the forensics and investigations is a lot easier when you have all of your data internally.”
Another issue is a company's vulnerability should another firm on the same cloud be attacked or if the cloud service provider itself is a target.
“You could be taken down even if you're not a target,” said Mr. Srail. “You may want to ask” what other entities are in the “same virtual area of the cloud,” he said, although the information may not be made available.
CERIAS' Mr. Spafford said there are economic concerns related to appropriately budgeting for backups, audits and possibly redundant communications with the cloud provider.
“It's not simply something you can turn over to another party and then forget about,” Mr. Spafford said.