Measurement of Risk
The digital age has enabled organisations to store and disseminate data at ease. The size and volume of data that gets stored in the cloud are incomprehensibly humongous and growing in leaps and bounds. If ever there is a security breach or data leakage, it would be disastrous for all stakeholders. The organisations that have encountered bitter experiences have measured the potential risks and implemented various cloud security measures foreseeing the risks associated with them. Let us discuss these briefly:
- Measures related to data security such as data encryption standards, key management and hierarchical access.
- Client side efforts - as nothing can prevent data espionage when the customers are not vigilant enough to avert disasters.
- Geographical location and physical protection of data centers
- Service level agreements to ensure proper service by the cloud service providers
- Access controls to ensure efficient, effective and secure sharing of resources between clients utilising the same infrastructure
- Financial controls within and outside the organisation to ensure that both internal teams and cloud service providers operate well within budgets allocated.
Risk Assessment
The nebulous nature of the cloud has brought in the perception of high risk and low control over infrastructure and data utilised by an enterprise. This is one of the primary reasons why people in the executive team of organisations want to know what could potentially happen if they move into the cloud. Whenever something new comes up, people take time to accept and adopt.
Even though the executive teams understand the potential, most of them are very comfortable with on-premises software and solutions. This is also due to risk aversion towards cloud – as with all other technologies. Therefore, a thorough assessment of risks must be conducted before the commencement of the project. The risk assessment strategy used by an organisation must contain the following elements:
- Effective Control Mechanism: All the current controls over data are to be analysed. If it doesn't provide adequate protection for the data or service, then necessary data control mechanisms are to be implemented.
- Necessary Periodical Audits: The cloud service provider and the services rendered are to be analysed and audited on a monthly, quarterly or annual basis. Any kind of discrepancies in service should be noted and informed, and necessary corrective measures should be implemented.
- Technical Security Architecture: A thorough analysis of the present technical architecture of the cloud service provider should be done. Firewalls, Virtual Private Network provisions, patching, intrusion-prevention mechanism and network segregation are a few things to be analysed well. These are potential high-risk areas especially when confidential customer data is at stake.
- Data Integrity: The cloud service provider would be rendering services to multiple clients at a time. How well the data is stored, what kind of hardware is being used, if the confidential data is being stored in a shared storage etc. - are to be analysed and understood beforehand. It is much better to have discussions with the cloud service provider before even moving all the data to the cloud.
- Data Encryption: The name says it all. The data encryption standards that the cloud service providers utilise is to be audited beforehand. Strict investigation has to be carried out in this aspect, as it is one of the high-risk areas. Sony suffered a major outage in its PlayStation Network in 2011 due to its poor data encryption standards and hackers exploiting it.
- Disaster Recovery Plan: What happens when there is an earthquake? Or flooding or some other natural calamity that hits the data centre in which all the confidential data is being stored? Before getting into contracts, the disaster recovery and contingency plan provided by the cloud service provider should be reviewed thoroughly. Internally, the organisation should have a clear business continuity plan to ensure that the business does not get affected if in case there is a disaster.
- Standard Procedures: It is good to evaluate the standard procedures followed by the cloud service provider internally in their operations. A typical example would be the offsite tape backup procedure for all the data stored in their data centre. Another example would be a background pre-employment screening procedure to see if any of the employees working in the data center or those to be involved in managing the data centre has any malicious intent.
- Business Operations of the Cloud Service Provider: The current operational and financial conditions of the cloud service provider should be diligently verified along with the history of operations. For publicly traded companies, it is easy to find this information. For private companies, either an internal team can do the due-diligence or a third-party can do the background check.
Comments
Post a Comment
thank you for visiting :)