Assess risk before you ascend to the cloud

Report cautions companies to weigh dangers and scrutinize safeguards before choosing cloud provider

Risks to moving a company's data to a cloud provider are significant, but manageable, according to report released Tuesday by an international cybersecurity association.

"The decision to use cloud systems should be accompanied by an information risk assessment that's been conducted specifically to deal with the complexities of both cloud systems and privacy regulations," according to the report, "Data Privacy in the Cloud," by the Information Security Forum (ISF).

"It should also be supported by a procurement process that helps compel necessary safeguards," the ISF report said.

Greater due diligence is needed when choosing a cloud provider than an ordinary supplier because, unlike other kinds of suppliers, a cloud provider has access to data that's critical to a business, explained ISF Global Vice President Steve Durbin.

"Furthermore," Durbin said in an email, "if something does go wrong -- the cloud service provider is 'harvested,' or worse, is taken down and data is lost -- the responsibility lies with the company not with the service provider."

"It is essential that companies go into these relationships with their eyes open, assess the service provider thoroughly and ensure that they are able to provide the level of assurance and contingency that is required by the company," he said.

"This will vary from company to company so there really is no shortcut here," Durbin added."Do the work, conduct the assessment, assess the risk and then and only then buy the service."

[Also see: Cloud security rebuttal -- Don't rebuke the many for the sins of the few]

Nirav Mehta, director of product management at RSA, the security division of EMC, identified five top security considerations when choosing a cloud vendor:

  • Availability. "If you can't tolerate downtime, then you should carefully include that in your selection criteria," Mehta said in an interview. "Not all cloud providers assure availability equally well."
  • Data Breach. A cloud provider should be asked what safeguards they have in place to prevent data from being accidentally or maliciously exposed to the wrong people.
  • Data Loss. What will the cloud provider do if your data is lost on its systems? "That could be a serious business risk if it's not included in the selection criteria," Mehta said.
  • Account Compromise. There have been many recent examples of cloud services failing in this area recently, including LinkedIn and Yahoo. "When that happens, it essentially amounts to a hijacking of that service," Mehta said.
  • Malicious Insider. People acting as administrators for cloud services have a lot of power over the data on those systems. If they abuse it, your data could be in trouble.

"If you're a cloud admin, you have access to everything, and the power to destroy an entire data center environment," said Eric Chiu, president and founder of HyTrust, a cloud infrastructure control company. "It's a very scary situation when you think of the power that the admins have."

Compliance is another issue a cloud shopper may want to keep in mind when choosing a nimbus provider, although for some heavily regulated industries, that issue will put a third-party cloud out of their reach.

"Mandates of things like PCI, HIPAA and FISMA require controls all the way up and down the stack," Chiu said. "That level of control and visibility is not enabled, so far, by cloud providers in their environments."

"That keeps a lot of companies from considering the cloud," he added.

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline