Assess risk before you ascend to the cloud

Risks to moving a company's data to a cloud provider are significant, but manageable, according to report released Tuesday by an international cybersecurity association.

"The decision to use cloud systems should be accompanied by an information risk assessment that's been conducted specifically to deal with the complexities of both cloud systems and privacy regulations," according to the report, "Data Privacy in the Cloud," by the Information Security Forum (ISF).

"It should also be supported by a procurement process that helps compel necessary safeguards," the ISF report said.

Greater due diligence is needed when choosing a cloud provider than an ordinary supplier because, unlike other kinds of suppliers, a cloud provider has access to data that's critical to a business, explained ISF Global Vice President Steve Durbin.

"Furthermore," Durbin said in an email, "if something does go wrong -- the cloud service provider is 'harvested,' or worse, is taken down and data is lost -- the responsibility lies with the company not with the service provider."

"It is essential that companies go into these relationships with their eyes open, assess the service provider thoroughly and ensure that they are able to provide the level of assurance and contingency that is required by the company," he said.

"This will vary from company to company so there really is no shortcut here," Durbin added."Do the work, conduct the assessment, assess the risk and then and only then buy the service."

[Also see: Cloud security rebuttal -- Don't rebuke the many for the sins of the few]

Nirav Mehta, director of product management at RSA, the security division of EMC, identified five top security considerations when choosing a cloud vendor:

Availability. "If you can't tolerate downtime, then you should carefully include that in your selection criteria," Mehta said in an interview. "Not all cloud providers assure availability equally well."

Data Breach. A cloud provider should be asked what safeguards they have in place to prevent data from being accidentally or maliciously exposed to the wrong people.

Data Loss. What will the cloud provider do if your data is lost on its systems? "That could be a serious business risk if it's not included in the selection criteria," Mehta said.

Account Compromise. There have been many recent examples of cloud services failing in this area recently, including LinkedIn and Yahoo. "When that happens, it essentially amounts to a hijacking of that service," Mehta said.

Malicious Insider. People acting as administrators for cloud services have a lot of power over the data on those systems. If they abuse it, your data could be in trouble.

"If you're a cloud admin, you have access to everything, and the power to destroy an entire data center environment," said Eric Chiu, president and founder of HyTrust, a cloud infrastructure control company. "It's a very scary situation when you think of the power that the admins have."

Compliance is another issue a cloud shopper may want to keep in mind when choosing a nimbus provider, although for some heavily regulated industries, that issue will put a third-party cloud out of their reach.

"Mandates of things like PCI, HIPAA and FISMA require controls all the way up and down the stack," Chiu said. "That level of control and visibility is not enabled, so far, by cloud providers in their environments."

"That keeps a lot of companies from considering the cloud," he added.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about EMC CorporationRSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello, Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place