Head in the clouds
Being human - behaviour that needs to be on board
There are three key action points to consider if you are a business that uses cloud services.
The primary driver is that your data (or data that you collect and use on behalf of your customers) will no longer be under your direct control. However it is still your data, both practically (i.e. you need it to run your business, while your cloud provider views it simply as a source of revenue) and legally (the UK Data Protection Act is clear on the subject of data ownership, data control etc.). The challenge is that you can no longer build an infosec ‘moat' around your data.
Third-party provider trust
There are two angles to consider here: how much do you trust providers delivering services in the cloud? Do you know what your 'traditional' non-cloud providers are even doing? Are they using cloud services themselves?
Cloud adds a whole new raft of supply chain risks, from the failure of a cloud provider (how do you get your data back), to technical problems (loss of internet connectivity) that prevent your business from reaching your cloud providers - and importantly your data.
Contractual controls must be applied because technical measures, such as a robust infrastructure, can only partially mitigate risks. Your need to ensure that your cloud service providers are securing your data in line with your security posture (not theirs) and your right to recover your data (in a useable form) from them is compulsory for your business' stability. Often, the use of a cloud provider may weaken your security posture - is this a risk your business can take?
Data location - compliance
Data location challenges have been discussed at length. However, no adequate solution has ever been found. Arguably, an inherent characteristic of 'the cloud' is that you don't necessarily know where your data is stored; you need to assess the scale of legal and compliance challenges.
There may be data that you cannot store in the cloud, but how will this affect your operations? Will this prevent your business from realising any of the efficiency gains and cost savings promised by cloud service providers?
You may even need to decide what can go in the cloud and what can't.
Clearly, having large quantities of data in the cloud means that you are entrusting your critical assets to a third party of third parties, and allowing them to effectively manage risk on your behalf.
However, their risk appetite may be different from yours. It is crucial that you understand your cloud suppliers' attitude to risk. The shared nature of cloud infrastructure brings specific technology challenges with respect to data privacy.
Shockingly, there have been reported incidents of deleted data being recovered by different cloud clients. Once again, this illustrates the need for appropriate contractual controls, or if this is not possible you may need to adjust your attitude to risk, and very probably modify your business continuity and disaster recovery practices.
Cloud security vs. traditional IT security
The cloud security model is fundamentally different; adopting a cloud service will mean your information security management system undergoes one of the most significant changes it will ever face.
Cloud forces a totally data-centric view of information security: gone are traditional network perimeters, segmentation etc. You need to know what data you are processing, where it is, why you are using it and when you might need to get rid of it.
Be ‘infosec smart' about the cloud, and you have a disruptive enough opportunity to align previously disparate departments (for example legal, internal audit, IT, compliance) behind your information risk management initiatives.
Paul Midian is consultancy director at Information Risk Management