Cloud Computing and Security: Do You Know Where Your Data Is?
post by Chris Curran on June 12, 2012Migrating more data and applications to the cloud is top of CIO’s to-do list right now.
52% of the 489 business and technology executives who responded to our 2012 Digital IQ study plan to boost their spending in the private cloud this year. Those same firms are simultaneously setting their sights on the public cloud. 57% of the leadership surveyed claim they are ramping up their investments in public clouds.
Understandably, security is weighing heavy on the minds of CIOs as they shift to the cloud. Especially as organizations move more of their core processes to the cloud. Looming large is how companies will maintain their risk posture.
In PwC’s new video series on cyber security, my colleague, Harshul Joshi, and Ralph Pyne, CISO, Zinio Systems, discuss the most important thing that companies need to do before they make the leap to the cloud.
It’s imperative that CIOs understand their own infrastructure and their own environment so they can mandate to the service providers how to control their data, according to Joshi.
Pyne strongly agrees.
Before companies even think about transitioning to the cloud, the most important question for them to ask: do we understand our current risks and do we know what our assets are?, according to Pyne.
Understanding your data classification and data structure is imperative. A lot of companies don’t do this well. This is the first and most important thing that companies need to be thinking about.
On the flipside, according to Pyne, we need the same level of information from our cloud providers as we do our own internal systems. Knowing exactly where your data is going to be residing becomes incredibility pertinent, according to Pyne. The right cloud provider can serve as a powerful security partner in this regard.
“Some of the big cloud providers are maintaining teams of investigators who are able to respond much more quickly and capture the information much more quickly, so there are some strong advantages there,” said Pyne.
Check out the full conversation between Joshi and Pyne here.
Following is a checklist to help you conduct a risk-based assessment of your cloud environment: (You can read more in Navigating Security in the Cloud)
- Security: The assessment of information security should include, at a minimum, data encryption, data storage location, segregation, risk management, user access, systems management, and incident response.
- Privacy: Privacy can be assessed using the generally accepted privacy principles audit framework published by the American Institute of Certified Public Accountants. Organizations should also use the privacy guidance that is appropriate to their industry, such as Gramm-Leach-Bliley Act or the Health Insurance Portability Act.
- Scalability: Scalability is assessed by due diligence on aspects such as load testing, stress testing and forecast growth.
- Metering: Metering can be assessed by revenue-recognition testing as well as due diligence on the integrity and security of metering systems.
- Availability: Availability can be measured by investigating resilience of the architectural components and reviews of data recovery and information retrieval aspects.
- Data leakage: The likelihood of unauthorized disclosure of data can be examined by a risk assessment that specifically evaluates data-leakage vulnerabilities.
What do you think is the most important step to take before transitioning to the cloud?
Image shared by Bidrohi
-
Doug Spence