Data Security in the Cloud

Economic difficulties are causing businesses to look to cloud computing as a cost saving solution. As more and more information, however, is placed in the cloud, there are growing concerns about how safe an environment it is.

There are a number of security issues associated with cloud computing, however data security is arguably the biggest issue. Main areas of concern that are specific to data security include:

• Access – Data placed in the cloud are accessed and managed by persons other than privileged users within the customer’s organisation. What level of security checks are enforced on those individuals?

• Protection – The nature of cloud computing means data can be stored at any geographical location at any given time. Apart from some cloud service providers such as Amazon who offers their customers the option of choosing between different zones in which to store their data, it is uncommon to see a cloud computing service contract where the customer is guaranteed that their data would not be transferred outside a specified region. Customers need to be aware that local laws may apply to data held on servers within the cloud, and that it is their responsibility to comply with data protection laws under various jurisdictions worldwide where their data is held.

• Segregation – Data in the cloud is typically stored in a shared environment whereby one customer’s data is stored alongside another customer’s data. While it is difficult to assure data segregation, customers should review the cloud vendor’s architecture to ensure proper data segregation is available and that data leak prevention (DLP) measures are in place.

• Recovery – As with traditional IT systems, unexpected problems can also occur with cloud computing. What plan is in place to recover customer’s data in event of a disaster, how long will data restoration take and the impact on business continuity?

Companies should be aware of the above issues, and adhere to the following best practices when deciding to go into the cloud:

• Ask where data will be kept and enquire the details of data protection laws in the relevant jurisdictions.
• Include clauses in the cloud service contract that your data always belong to you, that you can reclaim your data at any time and that your data shall not be disclosed to any third party.
• Make it as hard as possible to gain access to your systems, and then to your data by implementing two-factor user authentication.
• Ensure that data is encrypted both ways across the Internet by using, for example, mutual SLL. Ensure that data is encrypted when at rest, as well as when in motion from one location to another. You, the customer, should have control of key materials used for encrypting and decrypting data.
• Develop good password policies – how they’re created, changed and protected.
• Seek an independent security audit of the cloud vendor.