by Esther Shein, Contributing Writer, enterprise.net, April 24, 2017

When you adopt cloud services, some of your data is inevitably out of your direct control. Here’s what you need to know.

By now, moving at least some business processes to the cloud is not a question of if but when. So how do you keep your information safe while embracing all the benefits cloud computing offers?

Even if the enterprise is using private clouds and virtualization, your data may physically reside in infrastructure that is owned and operated by an external service provider.

When control is shifted to a third party that owns, operates, and manages infrastructure and computational resources, it is incumbent upon security professionals to put measures in place to maintain the safety of their data. It comes down to doing your research and due diligence, figuring out your threshold for risk, and not giving up all of the keys to the castle.

Ask questions, conduct audits

There is no single measure or technique that can keep a company’s data secure, regardless of whether you use an on-premises data center or the cloud, notes Paul Hill, senior consultant at System Experts. “When using the cloud, an organization has to understand what responsibilities are outsourced to the cloud vendor and what will remain the responsibility of the organization,” he says.

First and foremost, ask for credentials when evaluating a cloud service provider (CSP). What level of trust and reputation does the provider have in the market? How will it protect valuable data and personal information? “It’s important to ask these questions and have the CSP describe their security operational controls, such as how they handle security breaches and how threats are addressed, as well as how certain insider threats are identified and countered,” advises Thomas Hogan, sales specialist for BT Cloud Compute. Additionally, organizations should deploy identity access management to control the security credentials in the cloud and manage who has access to what information.

Hill agrees: “Without careful oversight, it is all too easy for someone in an organization to misunderstand the responsibilities and assume that the cloud provider is doing more than they really are.” For example, if a CSP states that it has achieved PCI compliance, does that mean that your applications are automatically PCI compliant? Or is the scope of the compliance limited to the payments made by customers to the CSP? “Strong IT governance by knowledgeable individuals is essential, or the organization should engage a third party with the expertise to review the issues,” he says.

“If your organization is required to keep its data within a geo-location due to regulatory issues, you should make the CSP describe how it will ring-fence or guarantee data will not cross borders,” adds Hogan, “It should also address access methods, encryption techniques, and all authentication processes needed to access data.”

In terms of the responsibilities the CSP is willing to provide, the organization needs a mechanism to determine how well the service provider is implementing the security controls, Hill says. “This is typically done by a combination of testing and relying on independent security audits under a compliance program,” he notes. “In some cases, an organization may not be satisfied by a compliance statement, and it may require that it perform its own audit.”

This tends to be more practical when using a small cloud provider. Amazon, Microsoft, and Google generally don’t allow customers to perform their own audits, he points out: “Customers of those providers usually have to be satisfied by compliance certifications and some form of testing that they can perform.”

In some cases, depending on the sensitivity of the data and the nature of the customer relationship, an organization may want or even need to assume some of the responsibilities the CSP is willing to provide, says Hill. For example, an organization might determine that it needs to encrypt its data at rest. Many cloud services provide some level of cryptographic key management. But an organization might decide that the cloud provider should not be able to decrypt the data.

“In that case, the organization will need to assume all aspects of key management or use a third party to perform the key management,” he says. “If an organization wants the ability to see any subpoenas served and control the response to them, then encrypting the data with keys under its own control is a critical control.”

To read more about securing data across multiple platforms, click here.