Cloud computing offers great potential—reduced expenses, decreased administrative overhead, superior performance and availability, and a predictable monthly fee (in most cases). However, there is another side to cloud computing that holds significant business impact but is often not addressed to the fullest extent—information security.
How do you keep your information secure in the cloud? Are you absolutely sure your data is safe? Can you easily access your information when you need to?
As you migrate to the cloud, keep in mind that the security of your information is largely dependent on the expertise and knowledge of your service provider. Here are five factors to consider when assessing a service provider’s information security efforts.
Do the research now so you won’t be left standing in the rain later.
Provider security posture should equal yours.Make sure that your service provider has at least the same level of security processes and technology that you employ. If you deploy third-party auditing, penetration testing, monitoring, intrusion prevention, and other controls required by regulatory bodies, your service provider needs to offer the same level of service.
You should have direct access to data at all times.Discover ahead of time what the procedure will be if your auditors need to get information from your service provider. Can you obtain the service provider’s SAS70 report? How often are they audited? Can your auditors visit the site for their own inspections?
Identify the process for legal discovery. What are your rights in terms of collecting forensic information in the event of a lawsuit? What happens if the service provider’s equipment is seized by law enforcement due to suspected illegal activity by another of the service provider’s customers? Your service provider should be obligated to inform you if a legal discovery subpoena has been issued against your own data or systems.
Know the cross-border regulations for information types.Larger service providers with international locations should disclose their data transfer and storage processes. Depending on the nature of your information, federal, state, or international regulations may dictate where that data is physically located. For example, information pertaining to a minor cannot cross US borders for any reason. In addition, regulations for encryption can vary from country to country.
Know your legal responsibilities. Though your service provider may be responsible for your underlying cloud infrastructure, it is your legal and fiduciary responsibility to ensure that the provider’s solution meets your regulatory requirements.