Risky business: How to protect yourself in the cloud

There’s no turning back the clock. We’re all in the cloud, with as many as 90 per cent of businesses in some countries using the technology. Are the risks of cyber-attacks and data theft real, and if so, what steps can you take to mitigate them?

The risk of avoiding cloud services

Despite the widespread adoption of cloud services, some IT executives continue to express concerns about security issues such as cyber-attacks and theft. Although not unfounded, in some cases these fears may actually work to increase risk in the organisation rather than reduce it. For instance, when a business is reluctant to embrace the cloud, employees or departments may go ahead and use the services anyways, creating an environment where the risks cannot be properly addressed.

Instead of shying away from the cloud, decision makers would be better served by educating themselves about cloud technology to create the type of structure that will actually protect data while simultaneously reducing risk. Here’s a look at some practical measures businesses can take to increase their trust in the cloud.

Choose the right type of service

Among the many cloud providers, there are fundamentally three different types of cloud service options, which are infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS). While the names may sound a bit confusing, the basic differences are:

IaaS is a fully outsourced service based on a pay-as-you-go model that allows businesses to store data as well as run applications. Instead of having to buy their own servers, companies can use the enterprise-grade infrastructure of an IaaS, such as those offered by Google, IBM, and Amazon, allowing them to reduce their operating costs and remain flexible at the same time.

SaaS, also known as “service on demand”, is a type of cloud service that allows businesses to rent software applications rather than having to buy them. Google Docs and web-based CRM systems would fall into this category. Users simply log into the system via the web, upload their data and run the application using the service.

PaaS is a type of cloud service that allows businesses to write their own software, with the PaaS service running and delivering the program to end users on the web.

Choose the right level of security

Cloud services offer varying levels of security and protection, so you’ll want to research your cloud provider thoroughly. The CSA (Cloud Security Alliance) has identified several possible threats to data stored in the cloud, including:

– Data breaches due to hackers

– Data loss due to hackers or natural disasters

– Account hijacking due to stolen credentials

– Threats from malicious insiders

– Technological weaknesses

As such, you’ll want to find a provider that provides a high level of protection at all data entry points and allows businesses maximum control over their data. For example, look for a provider who:

– Allows you to control your own encryption keys

– Provides encrypted backups where the user controls the key

– Uses two-factor authentication techniques when possible

At a minimum, data should always be encrypted at rest, in transit, as well as on mobile devices, and encryption keys should always be physically and logically separate from the data they protect. In addition, companies that deal with sensitive data such medical records and credit card payments must take extra measures to ensure their cloud provider adheres to specific industry standards to prevent liability.

Choose to create a secure STAR environment

STAR stands for secure, trusted and audit-ready. A secure STAR cloud environment, therefore, is one that adheres to the highest standards of security, complies with industry regulations and has the resilience to withstand the most adverse events. Since businesses that use cloud services are essentially entrusting large portions of their IT operations to an outside third party, it’s critical that businesses and cloud providers work together to build a cooperative partnership of trust.

Because risk, even when minimised, is an inherent part of the cloud technology, there must be open lines of communication and transparency from the start. Service agreements must be in place and both parties must have a clear understanding of expectations and policies should any issues arise so they can be handled in an efficient and straightforward manner.

Offering lower cost, scalable infrastructure, universal data access and more, it’s clear that cloud computing is here to stay. Instead of fearing the cloud, businesses should educate themselves on all aspects of cloud technology and work towards finding the right cloud service provider with whom they can build a long-term relationship of reliability and trust.