Cloud computing special: Need to know

Your company’s audit and risk profile for data systems will change because of cloud computing ­ the process of storing, accessing and sharing company data and processes remotely over the internet.

Generally speaking there are four main cloud services that companies of all sizes are looking for ­ applications, data storage, infrastructure and platform ­ and they all are linked.

When contemplating any of these types of services for your organisation, questions ­ such as where your data is being stored, who can access it, when it is deleted, what actually happens to that data ­ are questions that need to be asked by the audit team before negotiations with the cloud service provider begin.

Most cloud services are offered on a shared server basis, that is, the IT resources on a given server are shared between multiple organisations. Some companies are going down the route of signing up for non-shared cloud services that are offered on a secure basis by the likes of IBM and Unisys.

Even though this effectively means a company’s data storage facilities are installed remotely, the economies of scale of major data centres make such services cost-effective ­ though not as highly cost-effective and environmentally friendly as shared cloud services.

Remember the risks
Even secure cloud services have an increased risk of data going walkabout than having your organisation’s data neatly tucked up on your own servers.

To counter these issues, it is necessary to employ a carefully defined risk analysis of IT systems and procedures before a decision on which cloud technology and service is the best option for the business.

The four main stages in this analysis are as follows:
* ID management and access control. Who is authorised to do what and when?
* Regulatory requirements. Does it comply with Basel II, SOX, PCI, SAS70, etc?
* Data handling processes. Where is the company’s data located and how is it managed?
* Staff management. When someone leaves, comes on board or changes roles, what happens?

As always with IT systems, implementing good data security practices, processes and technology at a grass roots level can help to reduce the operational risk profile of cloud computing.

It is, however, important to understand the need for a risk analysis audit of your cloud service provider, before later steps such as the creation of service level agreements, remediation procedures and penalty clauses are started.

What is required is an assessment of the expectations that management and the business have for the cloud outsourcing contract’s terms and conditions.

What precise functions are required to be completed by the outsourcing company and what are the performance and security criteria that you will be able to hold the provider to.

Adam Bosnian is vice president of products, strategy and sales at Cyber Ark

HEAD SCRATCHERS

Who can see my information? Data loss is now a reality and a sizeable chunk of all data loss incidents are down to third party providers. As a result, you need to know whether the service provider, who is the administrator of the system, can see your data. Most IT administrators have this ability. Therefore, do they have the controls in place to avoid sending, copying or emailing your data?

What happens if the service provider loses some of your data? You need to ask your cloud service provider what their data protection policy is and what their audit procedures are. And then you should perform due diligence on those procedures.

Are you happy with data co-location? What does the third party organisation do to separate information and systems? Could your competitor, who is also using the service, get their hands on your data? Remember that, in the cloud, you cannot tell whether your data is copied. So you really need to get this one answered!

What happens in the event of data corruption? How many copies of your data does the third party have? Do they use incremental backups and can they reconstruct an image of your data at a given point in the past from these partial backups. How far back to their backups go in calendar terms?

How easy is it to migrate to another cloud service provider? This is a question few companies ask until it’s too late. Porting data between cloud service providers is a relatively new capability and only a small number of service providers have implemented what will become a very necessary service.

Are you relying too much on service level agreements? A service level agreement (SLA) is the contract between you and the cloud service provider. While figures are usually central to most SLAs, you need a remediation process in the event the service provider does not meet their agreement. Things can, and do, go wrong, so it is important to agree the remediation process, as the fate of your company could rest on the integrity of the agreement. Compensation is only part of the equation as, by the time the money is paid, you could be out of business.