By Peter Rehäußer, CSC Cybersecurity
Cloud computing is here to stay. Its use continues to grow in many industries, even as the debate on cloud security continues. Part of the problem may be that there are companies that still don’t understand what cloud computing really means, what the major differences from classical hosting or outsourcing are, and how they need to protect their own data.
The following approach can help address typical issues, such as misunderstanding cloud concepts, cloud security ambiguity and lack of security awareness, and help move your cloud project forward successfully in a “secure” direction:
1. General “Go”/ “No-Go” decision based on security considerations. Ask yourself the following questions: Why it is necessary for the company to use a cloud solution for a specific business case? What are the benefits (e.g. financial)? How valuable is the data processed within and by the cloud?
These should be determined by a security professional together with the business owners. Compare possible benefits to efforts/costs required to mitigate the risks to support your internal decision-making process. The result could also be a conditional Go (e.g. only private cloud).
2. After deciding to move ahead, think about what the future cloud solution should or must look like. Significant differences exist between the cloud types (private, hybrid, public), cloud services (IaaS, PaaS, SaaS) and cloud locations (on-premise or off-premise — and if off-premise, within national borders or not).
Take the risk/benefit-analysis into account. This solution should consider data security, as well as criteria for selecting the “right” cloud provider.
3. Check the offered cloud solutions and their security services with a gap analysis against your minimum security requirements. Make sure the cloud provider’s contract contains these elements:
- The subscriber will be allowed to perform audits and monitoring activities on the provided cloud solution, or respective certificates demonstrate the security level of the provider.
- The provider will ensure compliance with the relevant global and/or national security standard.
- The provider will be compliant with current regulations and laws (e.g. data protection; data will be kept within the national borders).
- The provider will establish additionally requested security measures, e.g. encryption of data (data in process, data at rest and data in transit), multi-tenancy capability, separation of administrative privileges, user and access management, etc.
- The provider should provide a clear exit strategy. It must be clearly defined what will happen to the data at what point in time (e.g. that the provider must securely delete the data and that the provider must attest this).
There’s no silver bullet to secure each and every cloud for all business purposes. Don’t refuse a cloud service just because it’s “cloud.” Your gap analysis will help you make the right decision for your business. This checklist will help demystify the cloud for decision makers within your organization and allow you to evaluate the best solution for your business needs.
This blog post first appeared in CSC’s Central and Eastern European blog, http://www.21stcenturyit.de/.
As head of CSC Cybersecurity Consulting Germany, Peter Rehäußer is responsible for the company’s cybersecurity consulting business in Germany.