As long as the data or workloads remain in your corporate territory, you are the only boss who could access and manage it. But when you plan to move your workloads to external data centers, then technically the usual parameters related to network perimeter security doesn’t apply.
Therefore, before making a Service Level Agreement (SLA) with a cloud services provider, organizations must consider the following Cloud Security Tips to ensure that their workloads to external data centers remain safe and secure.
Access Control- Always ensure that there exists a clarity on the management of cloud authentication. This helps in eliminating the threat from insiders and ensures that the access is available only to those who can manage it in an efficient and effective way. Example- If suppose, one of your employees gets terminated or leaves the organizations for some reason. Then there needs to be a corporate policy in place which can take cloud access control from him/her and pass it on to the next individual.
Make a list of your regulatory requirements- Obviously, each country such as United States, Canada, and the European Union has its own regulatory requirements in place. So, companies operating in these regions should abide these policies for doing business. For instance, certain countries like Germany wants its companies to keep their cloud workloads within the country’s territory. So, cloud providers who are serving these companies in the said region must be able to meet the prevailing requirement related to certification, accreditation, and review.
You should have the right to audit- Companies should ensure that the SLA they are making with the provider should include the right to audit. Means the cloud provider should agree in writing that they will comply with the best auditing standard, such as SSAE 16. This gives a confidence to the seeker of cloud services that compliance standards related to cloud computing are being offered by the provider.
Training of employees- In order to go with the saying that “Prevention is better than cure” companies need to train to create an awareness among their employees when it comes to cloud security. As most attacks take place in both technical and social way, a proper training for employees while handling emails, malicious links and phone could help in eliminating cyber security related threats for a company in near future.
Data Classification is vital- Firms which desire to move their workloads to the cloud should ensure that the cloud provider uses a standard to classify data. Tokenization is one such alternative to encryption and can help companies seek cloud services with regulatory requirements such as Payment Card Industry Data Security Standard, HIPAA, and Gramm-Leach-Bliley Act.
Make a note of Encryption- After Edward Snowden leaked that US government is constantly keeping a vigil on web activities of public and private entities, the demand for encryption has increased to the peak. Therefore, it is better for companies to include the point of Encryption in their SLA to get a clarification on where the encryption will be used- either for data at rest or in transit or in both? Also, make a clear note on who maintains the encryption keys before moving forward with the contract.
Shared or individual server- Usually, cloud computing companies use shared servers to host many of their user’s applications in order to save disk space, processing power, and bandwidth. But most companies do not wish their workloads hosted on shared servers. Means, they want a dedicated server to host their info. Therefore, to get utmost security and privacy, it is better to include the point in the SLA made with the cloud provider that an individual server will be used to host the applications.
Check for the cloud providers history- Companies who are willing to move their workloads to cloud platform should check their service providers background and its track record. Remember, if the provider shuts its business in mid-way, then what will happen to your data or workloads? Is the provider ready to return the data in its original format?
What happens if there is a cloud security breach- In the competitive world of the cloud business, many companies promote themselves as services which are impossible to hack. But in reality, cloud-based services can be treated as soft targets to hackers. So, it is better to get it mentioned in the contract on the support provided by the cloud service provider if in case, a security breach occurs?
Better to stress on business continuity factors- Users who are using cloud services usually do not know the physical location from which the cloud service provider is providing them the service. But if in case the cloud providers data center gets hit by a storm or earthquake, there needs to be a business continuity plan which guarantees the continuation of services as promised. Ensure that this point is included in the contract.
Have more such points to add…?
Please share your knowledge through the comments section below.