Who will check the security of cloud providers?

The most basic facts about your data – like where it is exactly and how it is replicated – become difficult to find out when you entrust it to a cloud, a new study says.

The most basic facts about your data – like where it is exactly and how it is replicated – become difficult to find out when you entrust it to a cloud, a new study says.

While that’s not surprising, the implications are large, according to the Forrester Research report “How Secure is Your Cloud?” by analyst Chenxi Wang.

Submitting data to a cloud provider means it is stored and manipulated in an environment shared with other customers, and while that doesn’t necessarily mean its security and privacy are in jeopardy it does mean customers have to use diligence, she says. If security is not properly addressed, potential business and legal liabilities begin to mount

One key precaution Wang recommends customers take is encryption of the data not only as it moves around in the cloud and out to customers but also as it sits in databases. Cloud providers may address this on their own as part of their best practices, but it is up to the customer to evaluate whether it is sufficient.

Wang lists a range of other concerns that customers should also make sure are addressed such as how auditors can evaluate security of data in the cloud, what authentication methods are used and how well data is partitioned from that of other customers.

Wang’s list of things to worry about is solid and it points up a struggle that cloud services providers and customers need to deal with. Customers need to perform due diligence in assessing cloud security, and providers need to make the information customers need readily available. This exchange of intelligence can be costly and time consuming for both parties.

A certification program in which third parties evaluate providers comes to mind as a more efficient use of time and effort. The third parties would evaluate the providers and customers would rely on that certification rather than launch lengthy and costly studies of their own. It’s not foolproof as data breaches at companies that had recently passed PCI certification demonstrate, but it may be the most workable solution for dealing with this complex problem.

The more costly option of performing their own evaluations would still be available for those who feel they need to do so.

Learn more about this topic

Post-breach, Heartland plans aggressive encryption project

PCI security standard gets flayed at House hearing

Eucalyptus cloud targets enterprise users

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT