Is cloud computing secure? This is a question we often hear when we’re exhibiting at business events. So we’ve decided to go through some of the common concerns we hear, and explain how they are actually unfounded provided you choose a reputable cloud service provider.
Many businesses are concerned that their data won’t be secure if they move to the cloud. But the fact is, when you are paying a cloud provider, you are also paying them for security and data backup.
Cloud service providers can afford to devote large resources to maintain the latest protections, and this is something they take very seriously.
They have the time and resources to make sure your data is protected by the best defences in the industry, such as strong encryption and authentication practices, access and permission controls, comprehensive back-ups, strong password policies, redundancy and disaster recovery.
Can you say that you know for sure that your on-premise servers are being monitored 24/7 in the way that cloud providers monitor theirs? Implementing top of the range security software on-premise is not always possible on the limited resources and budgets of less-sizeable firms.
By entrusting your business data to a reputable cloud provider, you get enterprise-grade security which includes all the latest protections, updates and patches.
Make sure you check the security credentials of your prospective cloud providers. Please note, if you opt for a ‘hosted cloud’ solution, then you should check the security credentials of both the software provider and the hosted platform / cloud data centre provider. Take a look at the last section of this article to find out the kind of things you should be looking for.
Tip: Make sure the cloud solution you choose is designed for business use, and not personal use.
One of the biggest perceived disadvantages of cloud-based solutions is a loss of control over your data. Some people are worried about storing it in a cloud provider’s data centres, but an important thing to understand is, when it comes to your data, you still own it.
That being said, there is a lack of clarity when it comes to the legalities of data ownership in the cloud. That’s why it’s important to check with your prospective cloud provider that you do indeed own your data. The contract between you and your cloud service provider must address this issue by defining the extent of the service provider’s right to process and store data on behalf of the customer.
You should also to find out what happens as the end of your contract – double check that the data still belongs to you and that you can easily extract it if and when the time comes. (Check for ‘exit fees’, for example).
One thing to note is that because you still own your data, you are still ultimately responsible to regulators such as the Information Commissioner. You need, therefore, to understand what you and your cloud provider are each responsible for, so make sure you study their service-level agreement (SLA) closely.
If you opt for a ‘hosted cloud’ solution, then you should check who owns the SLA – is it the software provider or the hosted platform / cloud data centre?
Also, make sure you check that they have the appropriate certifications (e.g. ISO 27001) and that they are signatories to any appropriate international frameworks.
A loss of control?
Another concern businesses often have is losing control of their servers and software where their data is stored. They have been looking after things themselves for a long time, so it can be difficult to trust a cloud provider to take care of everything for them.
But if you’re not a technology company, does it really make sense to own and manage your IT and the overheads that come with it?
Consider this analogy – you trust your bank to look after your money because they have the security measures and procedures in place that mean you trust it’s in safe hands. It wouldn’t be safer to keep control of it and store it under your bed at home.
The same goes for your IT. And with relinquishing this control comes freedom – while the cloud provider is spending the time and money looking after the servers and software where your data is stored, you can concentrate on growing your business.
So what data security credentials should you be looking out for?
Always check the security credentials of your prospective cloud provider(s). The kind of things you’re looking for are:
Disaster recovery – Multiple data centres and operations engineers that are geographically distributed from each other mean that in the event that one data centre fails, all operations fail over to a secondary data centre. Also check that they employ the latest fire suppression methods and seismic isolation equipment.
Redundancy – This allows one or more elements to fail without any interruption in service by having multiple, redundant systems online to automatically assume processing on behalf of the failed component.
Strict physical security policies – When it comes to the security of the data centres, find out how strict their policies are with regards to letting in authorised personnel. And how is the building itself protected – are all entry points monitored and alarmed? Is it guarded by security guards 24 /7? Do they have a dedicated security team?
Strong encryption practices – Check that all data is encrypted to industry standard.
Application-only access – Users can only access the application itself, and not the underlying database or infrastructure components.
Role-level access – Users only have permission to see the data and features that are related to their job role.
Idle disconnect – The system detects idle connections and automatically locks the browser screen to prevent unauthorised access from an unattended computer screen.
IP address restrictions – Access restrictions from specific computers and/or locations.
Robust password policies – Look for fine-grained password configuration options (length, combination of characters, expiration timeframes, etc). Check that accounts are locked after several unsuccessful attempts. Do they offer multi factor authentication?
Continuous monitoring – Intrusion detection systems identifying malicious traffic. Do they log and block unauthorised connection attempts?
Enterprise-grade anti-virus software – To guard against trojans, worms, viruses and other malware.
Security certifications – Check they are certified for PCI-DSS, and are compliant with international frameworks for data security. Is their Information Security Management System in accordance with the ISO 27000 series of standards? (If they are a US provider, have they have passed SSAE 16 Type II and ISAE 3402 Type II audits?)
I hope that you found this useful and it helps in the search for your perfect business management solution. Let us know in the comments below if you have any tips on what to look out for when it comes to security in the cloud.
NoBlue provides NetSuite’s cloud-based business management solution, which is ideal for growing companies as well as larger enterprises. If you’d like any further information on how cloud software could benefit your organisation, please get in touch.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net