The truth is, no cloud provider is indifferent to security. Their ability to stay in business is based on their ability to protect the data you store in their data centers. And data is protected by having multiple copies stored in the same or multiple data centers. You may even be able to specify how many copies are needed to meet your requirements for secure data storage.
Most remote data centers are large buildings with few people going in and out of them. Cameras typically monitor who enters and leaves and what they are doing. In addition to thorough background checks, data center employees may be required to authenticate their identity several times before getting access to restricted areas of the data center or before performing certain operations like upgrading software or expanding storage. And cloud centers routinely keep logs to track all activity.
You have to examine providers of public cloud storage on an individual basis to determine if they are offering the security features you need, such as secure multi-tenancy and data encryption. What distinguishes private or public cloud storage from more traditional architectures is its use of object storage technology. True cloud storage is built on object storage. Object storage can scale to petabyte and exabyte sizes and operate with 99.999 percent up-time. Storage based on traditional architectures cannot do this because they are complex, costly, not as reliable, less scalable and less secure.
Audits and Certifications
There are security certifications, audits and standards for the cloud computing industry, and you need to determine if the type of data you plan to store in a provider's cloud is covered by any of them. Ask your provider if it has passed an outside audit. The most common audit is the American Institute for Certified Public Accounts (AICPA) Statement on Accounting Standards No. 70, or SAS 70, which has been in place since 1992. SAS 70 was replaced on June 15, 2011 by the Statement on Standards for Attestation Engagements No. 16 (SSAE 16). In addition to financial controls, SSAE 16 addresses non-financial regulations and practices in the areas of data security, availability, processing integrity, confidentiality and privacy.
If you are restricted to storing data only within the United States, then ask your provider where it will store your data. If it cannot accommodate your request, find another provider who can meet your requirements.
If you plan to store your customers' credit card information in the cloud, then find out if the cloud services provider complies with the Payment Card Industry (PCI) Data Security Standard (DSS) or PCI DSS. The cloud services provider should be able to provide documentation confirming it is PCI DSS compliant.
The Cloud Security Alliance (CSA) has initiated a Security Trust and Assurance Registry (STAR) where providers can submit a self-assessment of their security practices and customers can review the publicly posted information for free. While there are limits to the trustworthiness of a security self assessment, it does indicate the willingness of the participating cloud services providers to compare their security practices against a CSA framework for cloud-specific security controls. The CSA STAR program is just getting underway, so it is not clear yet how many providers will participate.
Getting Your Data Back
In these uncertain economic times, some companies may be concerned about what happens to their data if their provider goes out of business. There have been a couple of smaller providers that have ceased operations, leaving their customers without access to their data. The good news is there are ways for you to back up your cloud data and make contingency plans. In most cases, a vendor who is going to cease operations will usually give subscribers the opportunity to download digital assets within a certain period of time. You need to read the agreements carefully when it comes to who owns the data you are storing in the cloud and how you get it back, as you will not have the ability to alter the terms of the agreement with most providers after it's signed. Larger entities can and do alter agreements with cloud providers, but that's the exception, not the rule. For instance, Google's agreement says you own your data and it is relatively easy to extract most of it if you need to get it back. Facebook, not so much. The ownership and control of your data and data about you is an on-going discussion. Outside of social media sites, data in the cloud is clearly owned by customers.
With so many cloud providers popping up every year, it is likely that some will not survive over the long haul. It is also true that in a technology market full of new entrants, many could eventually be acquired. No matter how a merger or acquisition turns out, it is prudent to have an exit strategy for your data worked out in advance. Your agreement with the provider may spell out how you get your data back from them and in what form. If this information is not spelled out in the provider's agreement, you need to raise that question. Your exit strategy is how you recover your data. Downloading it in some form is the most common way to retrieve data. Or you may be able to back up data from the provider's cloud to another provider's cloud. This is usually dependent on an application program interface (API) that connects a locally based application to a cloud-based storage system, so that a user can send data to it and access and work with data stored in it. Your provider will need to publish the API or make the necessary API available to third parties. Other providers will put your data on DVDs or disk drives and ship it to you for an additional fee.
Security standards in the cloud are evolving even as you read this. The biggest security threats may come from within your company and your security practices, or lack thereof. Cloud security is a two-way street and you must do your part to secure who has access to cloud applications and data.
Moving to the cloud is beneficial for many businesses when done properly. But it's not without risks. With proper guidance, a small or medium-sized business can reduce its IT capital expenses while improving the effectiveness of IT services.
Tim Wessels is cloud navigator at Oort Cloud Computing in Rindge. He can be reached at navigator@oortcloudcomputing.com. For more information, visit www.oortcloudcomputing.com.
Current Issue - May 2024