Digital Guardian, November 12, 2014

”What is the number one issue most companies face with cloud computing and data security, and what can they do to address the issue?”

Cloud computing is quickly becoming a mainstay for many technology companies today because of its superior flexibility, accessibility, and capacity compared to traditional online computing and storage methods. But just like traditional storage and data sharing methods, cloud computing comes with its own set of data security issues.

At Digital Guardian, our mission is to provide data security solutions and services to help businesses protect their most valuable digital assets. In doing so, we follow the top data security issues facing companies in today’s digital world and work with security experts from all around the industry. As cloud security risks grow, we wanted to compile some tips from data security experts on the most common (and avoidable) issues companies face when it comes to the cloud and securing their data. 

We’ve collected and compiled their expert advice into this comprehensive guide on safeguarding your company from cloud computing and data security issues. Click here to see the full article.

Paul Hill

Paul Hill is a Senior Consultant at SystemExperts, a security and compliance consultancy. Paul has worked as a principal project consultant at SystemsExperts for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services.

For companies purchasing cloud services, the number one priority should be…

How to evaluate the risk of using a particular vendor.

Many companies don’t have a solid process for determining how to evaluate a third party cloud vendor for risks nor how to assess the likelihood of a breach at a third party. Too often, if a company attempts to assess the risk, the task will get delegated to someone who will concentrate on a very narrow aspect of the service provided.

For example, someone might only validate if the data is encrypted during transmission, or the decision might rely on determining if the system is multi-tenant versus a dedicated host. In order to properly assess the risk, companies should be using mature frameworks such as ISO 27002 or the emergent Cloud Controls Matrix (CCM) from the Cloud Security Alliance (CSA). These frameworks look at a broad range of controls including HR practices; physical security; environmental controls; authentication policies, procedures, and mechanisms; access controls; cryptography usage; and key management.

The current version of ISO 27002 examines over 130 different aspects of an organization’s overall security. The CCM has similar granularity. A small number of organizations with mature IT departments use ISO 27002 or a similar framework to assess its third party vendors, including cloud service providers. Some cloud vendors perform an annual assessment and publish compliance information about the assessment.

However, too often these diligent practices are the exception rather than the standard practice. One area that ISO 27002 does not address is breach notifications by third party vendors. When purchasing cloud services, companies should include terms and conditions that address the definition of a breach, the timeliness of notifications upon learning of a breach, and what information will be communicated about a breach.