Thursday, 27 October 2011 16:45

Getting cloud security right from the start



Some of the biggest security mistakes made when adopting cloud computing can be avoided by taking a few simple steps.

Steve Durbin, vice president sales and marketing for the Information Security Forum thought the issues around cloud security would have been nailed down by now, "but I couldn't have been more wrong," he told iTWire.


The ease of getting started with cloud services is a nightmare from a security perspective, he suggested. People on the business side of an organisation can simply sign up and put the usually modest charges on their credit cards, bypassing (though probably not maliciously) the normal security procedures.

"The savings [from using cloud services] are huge," he said, but it's important they engage with the security team to get things right.

He relates the story of a large Australian retailer that started using because it was so cost effective, but someone decided to upload certain data that wasn't needed for the intended use, and that action was in breach of the company's own security regulations. Once the security team found out, the data was removed.

Mr Durbin suggests that business people tend to buy cloud services as they would buy consumer goods: most go out and buy the first fridge that looks about right, and only a few research the market carefully. Cloud suppliers, he said, should be treated like any other outsourcer.

How much trouble you should go to and the standards you should expect from providers depend on the importance of the project and the sensitivity of the data. In order to balance agility and flexibility with security, Mr Durbin suggests the following four points are especially important.




1. Engage with the information security team (some organisations put it under risk management or governance) from the outset.


2. Agree with them what degree of security is needed for the project. It may be minimal, it may be complex, or it may be somewhere in between.

3. Decide how to validate the provider's security claims. An operator that applies a high level of physical security probably won't let you onto their premises to make your own checks, so you may need to rely on third-party certifications. If you're storing corporate data, you probably can't take the provider's word that its systems are secure.

4. Agree termination terms. "Make sure you get all your data back" when the relationship ends. Mr Durbin related an example of an organisation that stored all of its customer data in a cloud system, but when the contract ended it couldn't retrieve the data because "that wasn't part of the agreement."

"The only time you've got any control is on the way in," he warns: the balance of power shifts to the provider once you have signed a contract.

He also suggests thinking carefully about the price being charged: "There's often a clue in the price - it's cheap for a reason." While that may be fine for some purposes, it is not in other situations. For example, a small business could probably lose access to its CRM system for a couple of hours and hardly notice. But if a bank's ATM network went down for a similar period, that would be considered a serious problem.

Mr Durbin suggests it is easier to validate the security of an IaaS provider providing you ask the right questions. But SaaS is less tangible (much more of the total system is controlled by the provider, with little or no visibility for the client).




But investigating all these issues comes at a price, and you need to decide whether it is worthwhile given the importance of the data, the criticality of the process involved, and the magnitude of the expected savings from using a cloud service instead of keeping things in house.


(The executive summary of the ISF report 'Driving out the seven deadly sins of cloud computing' is available here.)



You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments