For Your Chosen Cloud Provider, Make Demands Not Assumptions
There’s a false belief about cloud security that has been circulating for some time. Many mistakenly believe they can offset their security costs and responsibilities by moving to the cloud. By outsourcing much of their IT services to a cloud provider, the security is now their problem and not yours.
“Just because you give your job to someone else to secure your data or your service, you still have the responsibility to make sure that it’s being done securely,” said Brian Honan (@brianhonan), principal of BH Consulting in our conversation at the 2015 RSA Conference in San Francisco.
Make sure that your cloud behavior is operating in your best interests, said Honan. This reaches out to considerations of compliance, vetting your SLAs, and understanding roles for incident response. Start by understanding what your organization needs regarding data visibility. Once you clearly understand your organization’s needs, you’ll be able to pick and negotiate with a cloud provider to get exactly what you want.
Honan also advises that you have a clear understanding of where all parties reside. Where is the cloud provider hosting the data? How is that related to where your business resides and where your customers are who are using the data? There may be jurisdictional issues in all those locations, said Honan.
Many companies fail to recognize that once data is in the cloud, it can be accessed from anywhere. All that is protecting your company and its data is a user ID and password, said Honan. That means anyone from any device can access your data. And that may or may not be at the same level of security as your own organization’s devices.