This series examines security in the cloud, showing how companies can mitigate cloud computing security issues and risks. This post specifically addresses vendors.
The cloud is not “one-size-fits-all.” Every company must examine their own security requirements, often on an application-by-application basis, to determine which cloud solution is most appropriate to their needs. Once the type of cloud solution has been selected, they must determine how they can mitigate any security risks.
It is important to recognize that risk cannot be 100% eliminated. However, it can be significantly reduced to a level that is acceptable for a given business. The most crucial step in reducing risk is vendor selection. The right vendor will work in partnership with a client company at every step in order to maximize cloud security. This is key: security is a collaborative effort between the vendor and the client. The vendor cannot guarantee absolute security, but can provide the means so that the vendor and client together can make security a practical reality. With this in mind, companies should take a layered approach when assessing cloud vendors, reviewing the vendor, the facilities, the data, and the access.
The first layer consists of a thorough examination of the vendor company itself, starting with the vendor’s longevity and stability. Since cloud computing is the “latest and greatest” in the technology field, there are innumerable start-up firms offering their services. Unfortunately, these firms may disappear from the scene as quickly as they arrived. Because a cloud solution is not a stand-alone product to be purchased, but rather an ongoing service to be utilized, the disappearance of a cloud vendor can wreak havoc on their clients’ business operations. Businesses should therefore keep an eye on the future and choose a firm of proven history, financial strength, and success.
It goes without saying that a vendor should have expertise and experience in the area of cloud computing as well as security to ensure minimal cloud computing security issues.
“Rookie” firms may be able to talk intelligently about cloud computing, but if they lack actual experience in the field, a company is taking a serious risk by becoming their client. Rather, businesses should look for a vendor who has worked with multiple clients; who has an intimate knowledge of the hardware, software, and systems involved; and who has practical knowledge of how businesses function on a daily basis.
Bearing in mind that all business applications probably will not migrate to the cloud immediately (if ever) and that technology requirements frequently change over time, a company should look for a vendor with a broad portfolio of services. A vendor with a wide array of technology services has the depth of knowledge necessary to look out for their clients’ best interests, and the capabilities to keep them on the cutting edge of technology as they grow, change, and progress.
Another area of interest is a vendor’s remediation practices. It is unreasonable to assume that there will never be any issues with a selected cloud solution. At some point, an incident will occur, whether it is a minor power loss of a few hours in duration or a catastrophic natural disaster that destroys facilities. A vendor should be able to explain how they notify their clients in the event of an incident, how they remediate or recover full services, what their business continuity and disaster recovery plan is, and what steps they take to ensure that a given incident is not repeated.
A service provider must also be able to demonstrate its ability to proactively address threats. How do they provide faster and more accurate detection and response to targeted attaches and regulatory requirements?
Finally, in the event that the vendor relies upon subcontracting firms, a company must be sure that the subcontractors provide the same levels of service, security, and availability as the actual vendor.
The next post in the series will address security in the cloud with regard to the cloud facilities.
Related Business Solution: Cloud Services