Government has made cyber security a national Tier 1 priority and made clear that we all have a role to play in ensuring information remains both available and secure. Yet this will never be achieved if those responsible for moving data to the cloud are failing to ask the right questions.
You see, while the internet has transformed almost every aspect of our personal and business lives, until something goes wrong we rarely stop to think where all of the information we are accessing is actually being stored. This is a reality that has caused issues for many organisations. However, it can easily be eradicated if the right steps are taken at cloud vendor selection phase.
There are clear operational and financial benefits to the enterprise of deploying cloud computing and in practice there is no reason why this should be considered as more risky than maintaining an existing on-premise solution. It simply boils down to subscribing to good information management principles and seeking the necessary assurances up-front.
If the boardroom is to fulfil its role of managing risks to the business then a number of key pieces of information must be gathered before any core business data is moved to the cloud. Often this is best handled by visiting the data centre itself to get a true understanding of whether security is truly in the provider's DNA.
Almost every cloud vendor will talk up its excellent digital security, boasting credentials such as multiple firewalls and intrusion detection systems. However, the majority seem less keen to publicise other key pieces of information such as who will have access to the data centre facility and where the customer's digital information will physically be stored.
Some may even argue that disclosing these details to customers would itself constitute a security risk. However, they can't have much confidence in their own security credentials if their best defence is failing to tell you what or where they are.
In-depth research into the people, places and processes associated with cloud computing is crucial as they are all equally as likely to introduce new risks or disrupt data availability. After all, the easiest way to 'hack' a data centre remains physical infiltration, where servers can be tampered with or even physically removed.
The first point to cover off is the location of the data centre where the data will be stored. Is it in the UK or abroad and does this have any wider implications with regard to regulations with which you are required to comply? Is it built on a flood plain, or an area prone to other risks such as hurricanes or earthquakes? Is it based in a capital city or high risk zone where terrorism is statistically a more likely occurrence?
Secondly, review the security of the facility itself. Is it audited to meet the ISO 27001 security standard and are employees visibly following rigorous processes? Are all staff CRB checked and have they been trained to recognise potential social engineering strategies whereby intruders pretend to be somebody else or try to exploit someone's natural goodwill? And are legitimate visitors only given appropriate levels of access and supervised at all times while on site?
Finally, look into the specific circumstances of where your information will 'live'. Will your data be housed on a dedicated server or will you share it with other tenants? If shared then know your neighbours as if they are a high profile target for hackers then collateral damage could be an ever-present concern.
Cloud Disaster Recovery
As with any supplier relationship it's also vital to have a plan for how you will recover should the unexpected occur. Again, the basic tenets of business continuity and disaster recovery still hold true. However, moving to the cloud does require C-level executives to mitigate against slightly different risks.
For example, while maintaining the confidentiality of sensitive financial or corporate information is important, restoring availability of the systems needed for the business to function is an even greater concern. How soon will you be able to reclaim your data? It is all well and good having a plan for staff to work remotely, but this will only work if you can quickly replicate your virtualised data elsewhere.
As stated up-front there is no reason why deploying cloud computing won't make you more secure. In fact it's likely that a specialist external provider will be able to deliver a comprehensive level of protection much more cost effectively than could ever be achieved in-house. Knowledge is power and simply by asking the right questions can the necessary safeguards be put in place.
Phil Bindley is CTO of the Bunker, provider of outsourced IT services
Subscribe to our newsletter
Stay updated on the latest technology, innovation product arrivals and exciting offers to your inbox.Newsletter