To Cloud or Not To Cloud

In today’s uncertain times, cost-savings are a primary focus for executives. Cloud services do seem to offer a silver bullet solution when it comes to infrastructure and ancillary IT services.

It does sound a little bit like the late 1990s and early 2000s when outsourcing and offshoring seemed to be the answer to an effective cost management. There was no project or initiative that would not consider either outsourcing and/or offshoring. Today, this seems to be the case today for cloud services — every project is required to consider what it might offer.

Cloud computing does offer potential cost benefits to businesses and government agencies. Major deals have been struck by big vendors such as IBM, HP and CSC in the past 2 years, and there has been a big push by US and UK Governments to adopt cloud services. The US federal government's Cloud First strategy requires agencies to consider cloud computing as an option in any major IT acquisition and each federal agency must complete at least one cloud project by the end of the year, and two more by June 2012.

If the US Government is doing it, and (for example) touts big industry names like FujiFilm, Google, medibank, Australian Air Express and Dell as cloud service customers, it’s a no-brainer for the rest of us? Well maybe, but don’t be blindsided by simple cost savings.

The US Government has just released its Cloud Security Guidance through NIST, and other open source organisations like the Cloud Security Alliance have made sure there is industry guidance available to help organisations make the right decision.

So the right decision isn’t simple? Don’t forget, you are putting your data in the cloud, and the security and protection of your data is key, never more-so than in the cloud. There are other considerations that you therefore need to take into account. Items like service level agreements for availability of the service, incident management, growth on demand through compute and storage can all impact the simplicity of your decision.

From a security perspective, the following might help your decide to cloud or not to cloud:

  1. Ensure that the cloud services model you chose aligns with your risk tolerance and acceptance thresholds, and that the cloud services model is commensurate with the sensitivity and/or classification of the data being stored/processed in the cloud.

  2. Understand and document clear data ownership obligations and accountability of actions in the event of a breach.

  3. Ensure your legislative obligations for data protection and management are addressed.

  4. Understand where your data is being hosted and any impact the host country’s privacy laws will have on your data.

  5. Understand the legislative obligations that foreign owned vendors may be subject to (with regards to their local country’s laws) whilst operating within your country.

  6. Understand the architecture of the cloud service and the proposed solution to ensure the isolation of tenant applications is appropriate and in line with your policies and data security standards.

  7. Ensure the cloud services provider has a secure gateway environment that is certified by an authoritative third party and the infrastructure is using validated products meeting federal or national standards.

  8. Ensure there is strong encryption at the gateway, further supported by robust threat monitoring and secure logging of all access to applications and infrastructure instances hosting your data assets.

  9. Ensure and validate the cloud service provider’s police check and employee vetting procedures.

  10. Ensure the cloud services provider has robust incident response and breach notification processes in place that are in-line with your own security incident response processes, and that they will support forensic investigation if required.

These 10 security considerations will give you a quick snapshot. If you do decide to cloud, there are more in-depth checklists available.

Join the CSO newsletter!

Error: Please check your email address.

More about CSC AustraliaDellDell ComputerFujifilmGoogleHewlett-Packard AustraliaHPIBM AustraliaIBM

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts