Is your cloud provider compliant?
Companies must scrutinise the technology and its provider to make sure it is up to standard with the security and compliance requirements, says John McLoughlin, MD of J2 Software.
Before investing in any new technology, an organisation must first establish whether that technology will meet the business' needs. Similarly, the organisation must scrutinise the technology and its provider to make sure it is up to standard with the company's security and compliance requirements.
One such example of this, says John McLoughlin, MD of J2 Software, a distributor of SkyView Partners' managed security solutions, is cloud computing.
"The business benefits of cloud computing are widely accepted and documented; however, whether or not cloud computing meets your business requirements is dependent on the type of data being stored, accessed, and shared in the cloud."
He cites the example of using the cloud to store personal information protected by laws such as POPI. "Before storing data that is extremely confidential or highly sensitive in the cloud, a business will want to examine the restrictions placed on this sort of information by its security policies. You should also thoroughly question the potential cloud provider to make sure they can meet your security and compliance needs."
Questions such as who has root access to the data, whether or not the administrators access the servers through encrypted sessions, what their patch management strategy is, and what security tools, such as anti-malware, do they have in place - are all vital, he adds.
McLoughlin also advises to ask whether the potential service provider's server configurations are in compliance with the relevant regulations, what password configurations are in place, and whether these can be adapted to meet your business' specific requirements. "To help mitigate against possible insider threat, the cloud provider should be able to identify and shut down the accounts used by any staff exiting the company, to ensure they no longer have access to any sensitive information."
Another point to bear in mind, he says, is how logging is performed and the duration for which any logs are retained. "Depending on the industry, most regulations stipulate a certain level of logging take place. The business' security policy may insist on the logging of various functions, such as failed log-in attempts and suchlike. A period of anywhere between one and seven years can be applicable.
"Businesses should also ask for details on the cloud service provider's network and security configurations. Targeted attacks are a frightening reality today, and hackers often gain access to a business network due to poor configurations. If that business happens to be your cloud provider, this could mean your most sensitive data could fall into a hacker's hands through no fault of your own. Cloud providers, because they store such massive volumes of data, are often targets for this type of attack, so make sure they have all appropriate controls in place. This is also true of denial of services (DOS) attacks. Your cloud provider should have measures in place to make sure they are prepared for this sort of attack, so that your business isn't negatively impacted."
In terms of data privacy, McLoughlin advises businesses to check their providers for any possible data residency issues. "Some countries have rules governing the storage of information, and insist it remains within the country's borders. Cloud providers often store data across several countries and locations, so ensure that this will not cause you to fall foul of any data residency laws."