This webiinar organised by Gartner addresses security issues of an organisation venturing into cloud computing.
Small and Medium Enterprises (SMEs) are more disposed to take up cloud services because of their minimal security data and primitive IT capability, they usually start public cloud use with Software as a Service (SaaS). On the other hand, Large organisations have sensitive data, sophisticated IT capability and they usually start public cloud use with Infrastructure as a Service (IaaS).
Therefore descending order of cloud use based on security concerns are:
1. Small to Medium Business
2. Civilian Government
3. Individuals
4. Fotune 500 and Finance
5. Military
Futhermore, no single application of SaaS can meet all need because of differences in organisations needs and policies, location and regulation, data security etc.
Also, the webinar discussed security levels of SaaS. Low level security applications include: email, websites, social networking, discussion board etc. Medium level are email, Customer Relationship Management (CRM), supply chain planning, sourcing, purchasing, logistics, etc. High level security applications are Virtual data rooms for investment support, board of director portals, litigation support, collaborative development, defense logistics.
There is need for security control of data both from SaaS cloud providers and cloud customers depending on data sensitivity. Cloud suppliers can provide control through network encryption, server encryption, endpoint encryption, directory Integration, login logging, detailed activity logging and strong authentication. To compensate for providers weakness, control should be provided through User and IT Acceptable Use Policies, Data Tokenization Gateway, Data Loss Prevention, Client or Gateway Encryption, Provisioning Integration, Logging and Network access control.
Encryption is a useful tool to control data security however it is easy to make mistakes with, loss of key is loss of data and if server is encrypted searching becomes difficult. It is needful to use standard algorithm and manage access to the key effectively.
Contract concession: Are not effective ways to ensure data protection especially for SaaS. The degree of contract is proportional to sensitivity of service. For example a contract could require a provider give a customer access to its financial information periodically to ensure it is financially viable.
Finally some recommendations for cloud service customers are:
1. Base purchases on business requirements
2. Use standards for external party risk assessments
3. Protect highly sensitive data with control technology as it becomes practical/available
4. Always have a contingency plan for supplier failure
5. Seek business ownership for the business’ use of information and technology
Reference:
Heiser J (2013). Prepare For and Minimize the Security Risks of Cloud Computing. Gartner. Available: http://my.gartner.com/portal/server.pt?open=512&objID=202&mode=2&PageID=5553&showOriginalFeature=Y&resId=2475516&commId=74709&channelId=5502&id=68387730