Choosing a Secure Cloud Service Provider

8 12 2011

Cloud computing is a promising technology that offers flexibility and cost savings to organizations. However, before going for cloud offerings organizations have to understand the associated security and compliance implications.

The security issues of cloud computing can be broadly classified into: security issues faced by the cloud service providers and security issues faced by the cloud service customers. It is the duty of the cloud providers to ensure that their cloud infrastructure is secure and that their customer’s data and applications are protected. The cloud customers on the other hand have to ensure that their cloud provider has taken proper security measures to safeguard their data and applications.

From a security perspective, the providers and consumers of cloud services have to worry about privacy, compliance and legal issues.

Choosing a cloud service provider is an important decision for an organization. Organizations have to assess the security risks involved when choosing a provider. Below are few of the security issues that technology research and advisory firm Gartner suggests that customers raise with their potential cloud providers.

Before selecting a cloud provider, customers have to make sure the provider has sufficient security programs to safeguard their data. By keeping sensitive data outside the organization, customers are exposing themselves to an inherent level of risk as the data is no longer under the same controls as their in-house programs. Therefore, it is important that the customers know who (administrators) have access to their data and the level of access and what access controls are in place.

Cloud service providers have more than just one customer therefore it is in the interest of the customer to know which other companies the provider is servicing and if there is a risk of exposure of the customer’s data to competitors. Customers should ensure that appropriate measures are taken by the providers for data segregation. Customers should ensure that the cloud service providers are subject to appropriate external audits and security certifications.

Usually customers are unaware of where their data is located. Customers should ask providers to store and process data in particular jurisdictions. This will ensure that the customer know the legal implications of storing their data in particular locations. Customers should also obtain commitment from the providers to obey legal privacy requirements on their behalf.

Customers should make sure they understand and are comfortable with the cloud provider’s disaster recovery plan and management. Customer should ask the provider about their ability to completely restore data and how long it will take.

Investigation in a cloud environment is a challenge. This is because logging and data for multiple customers may be co-located and spread across multiple hosts and data centers. Therefore, customers should get contractual commitment from providers that effective investigative support will be provided and that the provider is experienced in providing such support.

Finally, customers should ensure that appropriate measures are taken by the provider to give the customer’s data back in a format that can be imported to a replacement application in case the provider gets into a situation that it can no longer provide cloud services.





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: