This is according to Werksmans Attorneys director Tammy Bortz, who says that SA currently has no guidelines, standards or codes of conduct in place for cloud computing.
Internationally, there are a myriad of organisations that have issued guidelines and codes of conduct for cloud computing. These include the Cloud Security Alliance, the Cloud Industry Forum and the European Network and Information Security Agency.
Hence, at the very least, before a local company selects a cloud provider, an audit of the provider's security policies and processes must be done to understand both the logical and physical security processes applied to data, Bortz explains. When deciding on a cloud provider, the decision taken and any subsequent contract that's concluded must be treated the same way as any other technology the organisation relies on, she says.If the cloud provider does not allow an audit, a report by an independent auditor regarding the cloud provider's security processes and procedures should be requested, she says. Bortz further explains that the Statement on Auditing Standards No. 70 (SAS 70) has become the auditing report by which all cloud providers are judged, and that a minimum a provider should have is a SAS 70 Type II audit statement.
She adds that the cloud provider should be asked if it has experienced any security breaches, and if yes, full details of those breaches must be provided, as well as what steps the provider will take, going forward, to avoid further breaches.
The use of cloud services is inevitable, especially as more organisations look for ways to cut costs and improve efficiencies, Bortz says. A careful and comprehensive technical and legal due diligence of cloud providers and their offerings will go a long way in mitigating inherent risks in the use of cloud services, she says.
Bortz is a speaker at the ITWeb Virtualisation and Cloud Computing Summit. For more information about this event, click here.
Our comments policy does not allow anonymous postings. Read the policy here