As more and more companies have selected cloud platforms for their critical data and applications, concerns for security and compliancy have been growing. In most European countries new data and privacy laws have been introduced which are much stricter than before and companies risk substantial fines, including personal liability for executives in some locations, when they lose data and fail to report it on time.
Does this mean the cloud is less secure than an on-premise platform? The answer depends on the individual cloud provider, and their level of security maturity. Many cloud providers have been trailing behind with security as evidenced by recent high profile breaches. This has led to organisations, and indeed personal consumers, being wary of having their data stored in the cloud.
A good cloud provider invests heavily in physical and logical security, using state-of-the-art detection and prevention technologies. Still, not every provider adopts the same high security standards. How can you assess the real safety and security of your cloud provider? Start with taking a good look at these points:
- Is the provider ISO 27000 certified? The ISO 27000 family of standards helps organisations keep information assets secure. The standard provides requirements for an information security management system (ISMS), which is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems.
- What industry sectors does the provider host data for, and which industry regulations are they obliged to meet?
- Does the provider use EAL and FIPS approved hardware for data segregation?
- Where does the provider store its data? In Europe, the US or elsewhere? Storing data within the same geographies as your offices simplifies Data Privacy Regulation compliance. Does the cloud provider have data centres located in your region?
- What data encryption options are available from the cloud provider? Disk level encryption provides protection against the physical disk being stolen, but provides no protection against attackers, so don’t assume that encryption is equal to secure.
- Make sure data is segregated properly in the datacentre between customers. In order to support various customers, many providers use a multi-tenant datacentre where customers share the physical infrastructure. A secure provider can provide data segregation to suit a customer’s individual budget and risk appetite, ranging from virtual separation to air-gapped throughout the stack.
- Look for a provider’s track record by asking for customer references.
- Decide what level of information assurance your data requires. Assess the value of the data to your business, your customers, stakeholders and your employees, then you can assess the level of protection your data requires.
In the digital age, data is the most valuable asset for most companies, and it needs to be protected accordingly.
Not all cloud providers are the same, and not all cloud providers are security-focused. For this reason it is critical that you assess your cloud provider’s security and ask them to design a solution that meets your security needs and can provide the right level of protection for your data.