21. April 2017
I bet that when you announced to migrate to the cloud you heard the security folks screaming. However, when you asked them for reasons they could not convince you to change your decision. So here is the top 10 security concerns which may or may not be applicable to your cloud provider.
Intellectual property rights – Did you know, that when you upload your data to the cloud you may also implicitly transfer ownership of all your intellectual property rights related to your data? Some Cloud providers may use your data to improve their services, or create new products and services. That’s why reading your agreements with cloud provider is so important.
Data protection – Did you know that not all cloud providers give you the possibility to encrypt your data when it is stored? Furthermore, some clearly state that your data have to be accessible for legal or regulatory authorities.
Misleading compliance with international certificates – “My cloud provider is ISO27001 and PCI compliant. I don’t have to worry about anything”. In reality, compliance statements are used by marketing people to attract more customers, but copy of the certificate is very often not available. The reason is very simple; Some or most of their services may not be in scope of the certification! Also make sure the datacentres are included in the certification scope.
Fail over – You might think that one of the basic services you get when moving to the cloud is that your data is backed up and always recoverable in case of any incident or disaster. Well the reality is that some cloud providers don’t provide real time recovery service and you might have to wait a few days. In the worst case, backup and recovery service are not even offered and thus it is your responsibility.
Snowden Effect – CIA may be considered as one of the most secure organizations, but Edward Snowden has proven that technology is not the ultimate response when companies deal with security of information. People were, are and will be the weakest point in the security chain. Only the proper segregation of duties, access control, and human resources security processes of cloud employees will ensure security of your data.
Force Majeure Disclaimer – Every cloud provider has this clause in their agreement. So if the cloud provider disclaims any responsibility in case of for example earthquakes why wouldn’t you consider those environmental factors when you choose your cloud provider. Their data centre can be perfectly secure, but the city telecommunications or electricity infrastructure might be vulnerable.
The basement – where the heck is my cloud? – Have you read the story about a cloud provider in the UK who was located in the basement of his house? Unfortunately in most cases cheap doesn’t mean secure. Make sure it is not a dodgy provider.
Unfair compensation - “There is nothing to worry about we have an SLA with 30 % compensation…” Well, if you have one then it is usually the maximum compensation which you can get from the cloud provider when things really go wrong. 30% of the monthly payment as a compensation is not the best offer in the market.
Delay of Patching Vulnerabilities – Good vulnerability management of the cloud infrastructure is as important as vulnerability management of your own environment. When you do your best and patch everything on time, you might be surprised that your cloud provider might need a few months to patch the same stuff, indirectly exposing you.
Security incident Responsibilities – everything is good until you have a security incident that affects the cloud infrastructure and your environment. Is it clear who manages the incident and what the responsibilities are between you and the cloud provider?
These are a few of the most common issues which IISRI came across when doing research in the cloud sector. More details about security and privacy of specific cloud providers can be found on our other websites.