CONSIDERATIONS BEFORE MOVING TO THE CLOUD

Transcription

1 CONSIDERATIONS BEFORE MOVING TO THE CLOUD What Management Needs to Know Part II By Debbie C. Sasso Principal In part I, we discussed organizational compliance related to information technology and what audits data centers need to pass to be compliant, what to look for in a data center location, identifying service level requirements for your business, and how to avoid complications in case of provider shutdown. Part II is focused on data which is the number one concern we hear from business owners about the cloud. How safe is my data in the cloud, do I have control over my data, can I easily restore my data in the event of loss, how do I protect my data on mobile devices? are questions we consistently hear from owners. Here we discuss the following areas: Data Security Transmission of Data Encryption Data Breach Notification.

2 Data Security The security and integrity of data in the cloud causes a lot of hesitation for business owners and decision makers when it comes to considering cloud services. Before looking for a cloud services provider, inventory your data. Identify the different types of data whether it s highly sensitive or not, how it s managed, and how it s stored. Consider whether or not it would be best for your business to store your data in the cloud. You may have to comply with industry or state regulations and going to the cloud may complicate processes. Once the decision is made to move to the cloud, many factors regarding data security come into play when selecting a provider. Here s a high level checklist of what to ask of a Cloud Services Provider: Data Center Facility Security Find out what the physical security measures are to prevent unauthorized access to servers such as surveillance, key card access, security guards, etc. Infrastructure Security - Make sure controls are in place to prevent hackers from stealing your data. A reputable provider will have antiintrusion measures such as secure firewalls, SSL (Security Sockets Layer), encryption, antivirus software, and a password policy. Accessibility of Data Unless you have a dedicated server, chances are highly likely that you will be sharing a server with other cloud service provider clients. This is referred to as multi-tenancy. Ask how they separate information and systems and make sure that unauthorized users are not allowed to get their hands on your data. Data Loss Find out what provisions are in the contract if the provider loses or corrupts your data. There should be a clearly defined plan in your contract, if not; you may want to consider going elsewhere. Data Backup - Make sure daily backups are performed and that the backups are tested. Performing regular backup routines is critical but verifying these routines actually work is just as vital.

3 Transmission of Data Initial Setup You are going to need to move your data and files which are stored on hard drives, servers, or tapes into the cloud. This means you will need to upload your data to the cloud server of the hosting provider. There are many ways to do this so make sure you ask your provider how they will make the switch. Some providers will have you upload all of your existing files, while others will just start with new data. Existing data will remain on the systems, or will have to be uploaded separately. As uploading of files demands a lot of resources, you should understand when it will be done. If your files are transferred during business hours, this will result in sluggish Internet speeds. It s best to work with a provider who is flexible as to when you want the data uploaded. Also, ask the cloud provider what file and document formats are supported. While most of the larger cloud providers support almost every type of file/document, there are some providers that may have limitations as to the type of file that can be uploaded, stored, and how you can use it. The takeaway here is to determine if you will need to convert files and data to a format the provider supports. If you need data conversion, ask if they provide conversion tools and support. This will make conversion a lot smoother. Keep in mind, data conversion can be a very time consuming process Switching Cloud Providers Exporting and Removing Data Businesses may think that the cloud service provider they initially contract with will be the one they always use. This can be risky thinking when it comes to technology. There will come a time when you need to remove your files from the service. Be sure to ask the provider about their exit process. Some have been known to charge incredibly high rates to remove files. A good cloud services provider will assist you in removing files and will have a clear solution. As your files are saved on hard drives on servers, your data once removed, could remain on these drives. This is obviously something you wouldn t want, so ask what the provider does with the files once you remove them.

4 Encryption To give sensitive data the highest level of security, it should be stored in encrypted form. The goal of encryption is to make data unintelligible to unauthorized readers and difficult to decipher when attacked. Encryption operations are performed by using random encryption keys. The randomness of keys makes encrypted data harder to attack. Keys are used to encrypt the data, but also perform decryption. Keys are often stored to allow encrypted data to be decrypted at a later date. When it comes to data encryption, you will typically hear two terms data at rest and data in transit. Examples of data at rest include data stored on your computer s hard drive or in a storage facility. Data in transit includes data transferred through , mobile devices, a USB stick and can even include a backup tape if you are delivering it from point a to point b. To make sure your data is protected ask your cloud provider about encryption methods. It is important to make sure your data is encrypted all the time when it s in transit and when it s at rest. Learn about how the cloud provider would manage and protect your data s encryption keys, especially when it comes to rules for access control. Although firewalls can be excellent protection from external hackers and attackers, it s important to protect against internal attacks as well. Encryption for data at rest can help prevent attacks by employees who have access to sensitive information. These types of attacks are often even more devastating and cannot be prevented by firewalls. While viruses and stolen banking and credit card information are the rage in the headlines, less publicized incidents such as data theft or destruction by disgruntled former employees can result in far more damage. In addition to talking to your provider about encryption methods, ask these questions: 1. How many employees at the hosting facility have access to your databases? 2. How are they storing passwords? 3. Do you they security policies in place that include auditing database security and monitoring for suspicious activity? 4. What is the security plan if database security is breached? While preventive security mechanisms like encryption are readily available, oftentimes they are not implemented to secure data from internal and external threats.

5 Data Breach Notification Businesses are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorized access, modification or disclosure. The same goes for data center and cloud services providers. When looking for a provider make sure they have a documented plan on handling data breaches. Questions to ask a potential cloud services provider: What constitutes a data breach? What measures are in place to prevent and detect a security breach? How are breaches investigated? Under what criteria are more severe breaches escalated in order to be handled in a manner appropriate to the risk they pose? What s your notification procedure? The notification procedure should document how you will be notified i.e. phone call, letter, or in the event of a breach and what the timeline is from the time of the breach to the time of notification. What are your incident response procedures You should attempt to require the cloud provider to keep to certain procedures. Particular data breach response obligations may include: Immediate investigation after a breach Providing prompt notice to the customer, within hours of the breach Written reports and status reports concerning the breach Keeping certain information that would be relevant to a data breach (including logs, planning documents, audit trails, records and reports) Documentation of corrective actions Most states have set security breach notification laws. Be aware of what the laws are in your state and how your cloud services provider plans to meet the requirements. Data Breaches Target 110 million customers personal and payment information exposed Reason: Stolen Credentials allowed Hackers to access Target Networks Heartland Payment Systems 134 million credit cards exposed Reason: SQL injection to install spyware on Heartland's data systems. TJX 94 Million Credit Cards Exposed by Hacker Reason: Network Wasn t Protected with any Firewalls Fidelity National Information Services 3.2 million Customer Records including Credit Card, Banking and Personal Information. Reason: Employee Theft Resource: CSO Security and Risk csoonline.com 15 Worst Data Security Breaches A part of your strategy for security in the cloud is the need to have appropriate plans in place for breaches and loss of data. This is a critical component to your overall agreement with the cloud service provider.

6 In part I, we discussed the following areas: Organizational Compliance Data Center Location Service Levels Provider Shutdown For a free download of Considerations Before Moving to the Cloud - What Management Needs to Consider Part I, please visit ceservices.com/cloud-whitepaper-part-one.