Making a secure decision

With more and more organisations turning to Cloud and IT services the issue of security is continuously being raised. Stefan Haase, Divisional Director at InTechnology, discusses what effective security measures to take before deciding which Cloud service provider to use.

  • 11 years ago Posted in

“Protecting your data from theft, corruption or accidental loss is both a legal and a commercial requirement, wherever you choose to store it.
“No matter the nature of the business, companies are bound to generate, and require storage for, sensitive data. Choose the right service provider and your data should be the safest it’s ever been.


“In order to choose a reliable company there are several steps that you should take, to ensure that you are not putting either your company’s or your customers’ private data at risk. Here are my five tips to consider when choosing a provider to maintain complete Cloud security and peace of mind:


1) Create a robust information security policy
“Information security policies help defend organisations from both internal and external security threats, and for that reason developing an effective and accessible policy is a good starting point. Creating a document that is tailored to your organisation’s day to day operations, as well as aligned with your business objectives, will reduce the risk profile of the business and ensure that the management of data security is unambiguous.


“Successful information security policies should have full management commitment and support, with policy statements written in a clear and simple manner, ensuring they can be accessed by staff at all levels. Statements should be closely linked to any external standards and accreditations currently in place, such as ISO 27001’s guidelines for information security management, and there should be due attention given to all aspects of the networks to physical security. Policies, and the adherence to them, should be regularly audited and updated, with such measures ensuring that the security of your data and applications is well managed.”


2) Consider who is most at risk
“Entrusting data and applications to a third party provider may seem like a risky move, but ask yourself, who is more likely to have a security breach? Your organisation where IT has many other business priorities and demands on its time and resources, or a third party whose core business focus is dependent on providing a secure and reliable data services environment?


“Also think about the security implications of an in-house IT infrastructure versus one that is offsite. The key to outsourcing to a data centre is that it enables modern businesses to be more secure and agile, helping to reduce costs and stay ahead of the curve when it comes to the Cloud and IT infrastructure.


“The technological differences between an in-house and offsite IT platform can often be stark. Unlike most average onsite IT equipment, a data centre is purpose-built, with security, the latest power saving technology and resilience in mind.”


3) Choose the right Cloud platform
“It is widely reported that public Cloud platforms offer less security than private Cloud models, and while distinguishing between public and private Cloud platforms is important, businesses should also give due consideration to the finer details of a provider’s offering. Public Clouds are multi-tenant by definition, with many pinpointing this as the reason for their lack of security. However, many private Clouds may also be based around multi-tenant applications, with the key distinction being that true private Clouds will be set up so that the underlying infrastructure is secured to one customer. For that reason, it is more important to consider the fundamental design of the Cloud platform than it is to base decisions on its self-appointed label.


“A further point for consideration is the different levels of encryption offered by different Cloud platforms. Encryption is a process designed to protect data - during storage and transit - from unwanted access; Cloud providers will often encrypt the data at the source (changing it from text to meaningless binary), with only the data owner possessing the decryption ‘key’. Encryption can often involve multiple layers and multiple methods. For that reason, organisations must perform due diligence on providers’ encryption policies before choosing a potential Cloud platform, with the correct provider able to remove many of the security burdens you may currently feel.”


4) Check the credentials
“Although it may sound obvious it is very important to check the data centre service provider’s credentials. As a business you need to be sure they’re working to accredited physical and technical security standards. ISO 27001 requires businesses to have stringent physical security measures in place. These will include security checks on entering the building, controlled access points to the data centre facility, mantraps, CCTV and security passes, with differing levels of access.


“Check the provider runs its own data centres. Find out how long they have been established and ask if you can have a look round the data centre, to see for yourself where your data will be stored, meet the people responsible for protecting it and to check there is 24 hour monitoring by specialist staff.”


5) Be aware of the legal implications
“In America, lawsuits have already been filed in relation to the National Security Agency’s disclosure of sensitive data. When choosing a public Cloud provider such as Google or Amazon, please be aware that what happens to your data is taken largely out of the provider’s control, with different data protection laws governing data processed in different countries.


“Before you sign a contract with a new third party service provider always ensure that you have read the contract thoroughly, including the small print – where is the data hosted? If your data is transferred to the US, it will be subject to the USA Patriot Act, granting the government and other authorised bodies permission to access it even if your provider’s headquarters are within the EU.


“The public Cloud issues in America really serve to highlight the importance of organisations conducting meticulous prior research on the Cloud provider they opt for. Understanding the Cloud provider’s contractual requirements, its security accreditations and policies before hosting sensitive information is a must.”
 

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...