Business

Mitigating cloud risks

Using cloud services is inevitable; doing a comprehensive technical and legal due diligence of potential cloud providers will go a long way in mitigating risks, says Werksmans Attorneys' Tammy Bortz.
Using cloud services is inevitable; doing a comprehensive technical and legal due diligence of potential cloud providers will go a long way in mitigating risks, says Werksmans Attorneys' Tammy Bortz.

Data protection and privacy are the most commonly presented risks when a customer considers placing sensitive and personal data in the cloud.

This is according to Werksmans Attorneys director Tammy Bortz, who says that SA currently has no guidelines, standards or codes of conduct in place for cloud computing.

Internationally, there are a myriad of organisations that have issued guidelines and codes of conduct for cloud computing. These include the Cloud Security Alliance, the Cloud Industry Forum and the European Network and Information Security Agency.

Hence, at the very least, before a local company selects a cloud provider, an audit of the provider's security policies and processes must be done to understand both the logical and physical security processes applied to data, Bortz explains. When deciding on a cloud provider, the decision taken and any subsequent contract that's concluded must be treated the same way as any other technology the organisation relies on, she says.

ITWeb Virtualisation and Cloud Computing Summit 2012

In today's cut-throat business environment, it is essential to innovate in order to remain competitive. One such innovation is adopting cloud services in order to realise efficient service and performance. ITWeb's Virtualisation and Cloud Computing Summit takes place from 17 to 19 July 2012. For more information and to reserve your seat, click here.

If the cloud provider does not allow an audit, a report by an independent auditor regarding the cloud provider's security processes and procedures should be requested, she says. Bortz further explains that the Statement on Auditing Standards No. 70 (SAS 70) has become the auditing report by which all cloud providers are judged, and that a minimum a provider should have is a SAS 70 Type II audit statement.

She adds that the cloud provider should be asked if it has experienced any security breaches, and if yes, full details of those breaches must be provided, as well as what steps the provider will take, going forward, to avoid further breaches.

The use of cloud services is inevitable, especially as more organisations look for ways to cut costs and improve efficiencies, Bortz says. A careful and comprehensive technical and legal due diligence of cloud providers and their offerings will go a long way in mitigating inherent risks in the use of cloud services, she says.

Bortz is a speaker at the ITWeb Virtualisation and Cloud Computing Summit. For more information about this event, click here.

Read time 2min 00sec
Have your say
a few seconds ago
Be the first to comment