Due diligence mitigates cloud data concerns

Sensitive corporate data stored and processed in the cloud can expose organisations to considerable risk if not managed correctly.

By Johann Barnard, ITWeb contributor
Johannesburg, 10 Feb 2014

Given the revelations over the past year of the extent to which government agencies have been monitoring and gaining access to sensitive data, not to mention directly tapping into the pipes connecting global organisations such as Google and Yahoo, CIOs would be forgiven if their paranoia levels have notched up a level or two.

Sales people will lead you down a path that looks rosy, but once you jump on board, that may not be the reality.

Andrew Kirkland, country manager, Trustwave

"There are no such things as guarantees [that data will not be compromised]," says Andrew Kirkland, country manager for managed security services company Trustwave. "At the end of the day, assurances are not enough, but what can be done is due diligence. Sales people will lead you down a path that looks rosy, but once you jump on board, that may not be the reality."

This may be rather unsettling news for organisations that have or are considering storing or processing some of their corporate information in the cloud. And with pressures for IT executives to provide 24-hour access, from anywhere on practically any device or platform, the options may seem suddenly diminished.

Hosted CRM systems are particularly at risk, given the value of the information that moves to and from the field.


Kirkland suggests a due diligence process be undertaken to verify that the provider has the required certification. This includes going so far as to requesting copies of this documentation and proof that their systems have been sufficiently audited.

In addition to this, it's recommended that the service agreement clearly outlines where the lines of responsibility lie in terms of securing the data. This can become especially cumbersome if multiple hosted providers are used to delivering a suite of different services.

"When looking at this, flexibility has to be built in order for you to have control of customisations, so that you don't have to worry about what the various service providers are doing," Kirkland says.

Lastly, a level of comfort can be gained if the service provider does regular fire drills to test the integrity of their security measures through penetration testing. This is not standard practice with all providers, and the absence of such testing should be a red flag to CIOs.

First published in the February 2014 issue of ITWeb Brainstorm magazine.