Cloud computing is rapidly evolving into a service model that has the potential to save money and create efficiencies for organizations large and small. This new model can help achieve significant cost savings, reduce IT complexity, and increase flexibility in adapting to a changing business environment.
The benefits are clear, but organizations must carefully consider the security implications for securing sensitive data. Without a thorough risk assessment, these gains can be eliminated due to an increased risk exposure.
Organizations must first consider which functions should be implemented in a cloud environment versus a secure internal network. The common approach is to utilize a cloud environment for less sensitive functions such as accounting and HR management, while keeping intellectual property and mission-critical applications within the internal network.
Once an organization determines which functions to implement in the cloud, it must then determine the appropriate controls that need to be in place. Furthermore, these controls must take into account applicable compliance regulations such as the PCI DSS and HIPAA.
So what must be carefully considered with cloud computing? Halock Security Labs recommends that organizations consider the following:
- Contractual Agreements: provide the essential legal recourse in case of a security breach
- Third-Party Audits: such as ISO 27001 or SSAE-16, further demonstrate that the cloud provider has appropriate controls in place
- Availability: define the acceptable availability requirements to satisfy your business needs
- Back-Up and Recovery: agree on the acceptable back-up and recovery requirements that follow your incident response plan
- Decommissioning: confirm that data will be securely deleted in case your organization decides to move out of the cloud or to another service provider
- Security: ensure that appropriate data encryption, segregation, access controls, and systems management processes are supported within the cloud environment
- PCI Compliance: if your organization handles cardholder data, your cloud service provider may be considered a PCI Service Provider, depending on the services provided, and would have to be able to demonstrate compliance with the PCI Data Security Standard