Cloud security has been the subject of great debate in recent months with the many operational advantages of online storage and collaboration being pitched against the catastrophic effects of a serious breach.
In May 2015, the Sunday Times featured an excellent article by Davey Winder entitled “Cloud of mistrust in the air”, which examined the difference between perceived threat and actual risk. After presenting some of the arguments for and against cloud computing, Winder concludes that ‘the broad brush strokes of a secure environment remain the same no matter where the canvas is hung’. However, he offered a particularly apt and effective reminder – in the form of an acronym – for those who are considering a migration from on-premise systems to the cloud.
ATMOSPHERE: Mitigating the risk of moving from on-premise to the cloud
In an industry that is never short of an abbreviation or a buzzword, we still thought that ‘ATMOSPHERE’ was worthy of a special mention. So for those of you that have not heard this one before, please take heed.
Ascertain any accreditations that your proposed service provider holds, specifically ISO 27001 (the internationally recognised standard for information security) and ISO 27018 (the new cloud data privacy standard).
Do your research and you will find there are plenty of tools to help you remain secure during a cloud migration, everything from risk auditing through to encryption key management.
Regularly monitor and audit any externally provided services, and ensure strong access controls to your data with sufficient logging to reveal when your data has been accessed and by whom.
Contractually agree areas of responsibility between your organisation and service provider to reduce any potential disputes; ensure service levels are defined, agreed and monitored throughout the migration.
If your industry is highly regulated or has particular security needs, perform due diligence and find a cloud provider that specialises in your sector.
Following a policy-based separation of duties is key to migrating data safely to the cloud, preventing ‘privileged status abuse’ and advanced persistent-threat-style attacks.
Ensure you have high availability baked into the cloud infrastructure with a secure back-up and recovery solution, should the worst happen during the migration process.
Be aware of where your data is being hosted and stored – is it offshored or is multi-tenanted hosting provided, if so with which other organisations and what are their related threats?
Audit the sensitivity of your data, any regulatory considerations and the requirements for access to that data; once you properly understand the risk and operational needs, identifying appropriate cloud security controls becomes much easier.
The best way for companies to remain secure and compliant with most data residency laws is to encrypt data held in the cloud environment with encryption keys that are unique to specific jurisdictions, and are controlled from those jurisdictions.