Security has always inhibited the take-up of cloud. I believe in most cases fears are overstated, but data security in the public cloud cannot be taken lightly. Data remains the responsibility of the organization that owns it, regardless of where it is stored. Your data may be held in an external cloud, but you cannot abdicate your own security responsibilities.
Your choice of cloud service should be based on what your organization can do and your appetite for risk. If you have limited resources, you will be more reliant on your cloud provider, but it is up to you to ensure they offer the security you need and continue to provide it throughout the contract.
When choosing a service, be aware that different types of public cloud include different levels of security. Very simplistically, with Infrastructure as a Service (IaaS), the service provider will secure access to the underlying host and provide good general security up to and including the host and hypervisor patching. They may also provide proactive infrastructure security monitoring, often as a chargeable additional service, but you will still be responsible for securing access to the instance(s) and everything inside them, plus security of integration between instances unless you contract the provider or another third party to do it for you.
With Platform as a Service (PaaS) you also get a secured OS and service platform, plus normally patching of this, but you have to take responsibility for access and authentication to the service plus application patching and code updates for your service running on the platform.
With Software as a Service (SaaS) the provider is responsible for overall security of the service including securing any data hosted in their environment, so your responsibility is primarily authentication to the service and data transfer between service providers.
If you have very specific security needs, public cloud may not be right for you. The major public cloud providers have defined, standard processes and services, which is one of the major benefits of cloud and key to its cost effectiveness. If you need the provider to tailor its processes to suit you, you will be better off talking to private and virtual private cloud providers.
Having chosen public cloud, you need to find the right provider – which I believe is more about risk management than security. You must carry out effective due diligence, evaluating potential cloud providers as you would any other supplier and seeking independent verification of their capabilities and financial security.
It is the cloud provider’s responsibility to ensure your data is secured and protected within their environment, and their SLA should offer appropriate guarantees. However, it is your responsibility to ask them to deliver the appropriate levels of information security, and you must measure and audit them yourself to ensure they apply what has been agreed.
Agreements do not normally include backup unless you specify it in the contract, but all data you host with the provider should be recoverable and returnable at the end of the agreement.
To ensure data sovereignty, you should ask the cloud provider where it will be stored. You need to ensure this is in a jurisdiction with the correct safeguards in place and which does not contravene the Data Protection Act (GDPR from May 2018) or comparable legislation in other jurisdictions. Many providers who previously hosted offshore are setting up UK data centers to meet this requirement. Remember to ask where both primary and backup sites are located. If the provider cannot guarantee this, walk away.
I recommend asking your potential service provider:
- Who is the ultimate holder of the data?
- Where is the data held?
- Do you operate good processes and can you prove it?
- What specific security standards and levels of security are you applying to my data?
- How can you guarantee no-one else can get access to my data unless I specifically want them to?
Organizations should check this information for themselves and manage it as they would for every other corporate risk.
Finally, consider how to manage your cloud supply chain. In many cases the organization you contract with is not the ultimate provider of the service, so you need to ensure they have suitable underpinning agreements or back-to-back contracts with their providers. Multiple providers may be necessary to deliver core services.
Risks arise when it is not clear where responsibility lies, which can lead to a blame culture. I recommend developing an operational agreement whereby suppliers commit to a code of conduct designed to remove any barriers to effective relationships and interworking and which operates alongside SLAs. This helps suppliers work together and removes any gaps or overlaps between contracted boundaries of responsibility, with mechanisms to resolve disputes in a collaborative and effective manner. It can be formalized in a Customer Service Charter.