As part of my extended blogging network, I recently weighed in on a thread on a vendor’s site about cloud provider security and SMBs and where the responsibilities lie between the 2. I think there is a lot of confusion about whether cloud environments can be more secure for this market segment for those who outsource versus those who run internal cloud environments. So why is cloud security still such an ambiguous thing, and why are companies paying less attention in some cases than they should be?
An Infosecurity Europe survey revealed that almost 73% of organizations in Europe are using some kind of outsourced service, but only about 38% of large organizations ensure that this data is being encrypted. Even more frightening is that only 56% of SMBs don’t do any verification of security services for their data, relying on contracts and contingency plans with their provider instead.
While many might argue that the type of data being hosted isn’t necessarily the most business-critical or sensitive data, but the fact that so few organizations are doing due diligence is frightening. Although there are tons of great benefits from outsourcing your cloud services to a large provider who has security controls in place, and who might offer additional security services to guarantee compliance, it still requires that you do your homework.
Think about the commonly used cloud services – website, email, payment services -are used by some of the largest organizations in the world. If we assume that basic security is in place, it still leaves open a huge gap as it relates to contingency. Many SLAs do not specify what happens to data if there is a breach or they need to move your data. Remember, if you are a Canadian organization, if they need to move your data to a US located server, depending on the content you might be haunted by this remediation plan should the Patriot Act come up during an audit.
The other key thing is to ask about how the provider’s organization deals with such issues, from not just a network or security issues, but down to personnel and escalation and notification procedures. Is the provider required to tell you there has been an issue?
It really comes down to remembering that if you are trusting the provider with your data from a security and contingency aspect, it’s probably a good idea to see how they deal with their own internal policies. If the provider has a solid contingency and security plan in place, and it shows proof of stress-testing for these scenarios, it’s a lot easier to sleep at night trusting them with your data than with a provider who doesn’t.