Cloud Computing - Security Concerns
What is Cloud Computing
Cloud computing allows users to access software and stored information from the internet without having to have software or data stored on their computer. It allows users to access information through a computer, tablet, or smartphone either from an app or through a web browser.
It has the potential to allow organisations on limited budgets access computing at lower costs. It also allows for more flexibility in allowing information from different sources to present coherently. Because of the flexibility, it allows organisations to access information from a variety of devices. Also, cloud computing can allow the outsourcing some of the organisational IT services to a third-party provider, thereby enabling it to focus on its core competencies.
There are advantages to cloud computing including flexibility, cost control. Cloud computing options include a third-party provider, in-house, or a combination of the two. Having up-to-date patient information on tablets when reviewing patient files can increase efficiency. As well salespersons will have information related to their customers including concerns which they can address.
Understanding Cloud Computing Before Committing
It is important to understand cloud computing from an organisational strategy standpoint and a security standpoint. We sometimes hear account sales managers from various cloud providers or CRM solutions promote their product without really understanding the product itself. The question to ask does account manager understand what cloud computing is, the product and common security issues or are they merely focusing on their quarterly commission or bonus targets. An understanding of the fundamentals of cloud computing, as well as beware of concerns that the sales account manager should be able to address appropriately.
Before committing to any cloud solution concerns related to information strategy as well as information security should be addressed upfront. An understanding of the terms and conditions including exit clauses should be well documented including access to organisational information if service is discontinued.
Advantages to using the Cloud
Adopting cloud computing can result in reduced cost of ownership. An organisation that has limited resources is in growth mode or does not require a dedicated application can benefit. It also allows for flexibility when implementing applications as IT as outsourcing operations. It also allows organisations to have a competitive advantage by flexibility to scale as an organisation grows or expands in other industries.
Challenges to using the Cloud
However, cloud computing is not without concerns which include security, service outage, and disaster recovery to name a few. Addressing local statutory requirements may also dictate that data be stored, or not stored in certain locations.
Consider how an organisation will continue its operations should internet connectivity go down or the service provider's site goes down. Who is responsible for information stored on the service providers site, and is an independent audit conducted to ensure that information is secure, reliable, and the service is stable. Understand terms of the agreement related to the responsibility of the service provider, and the organisation.
Access to Information
An evaluation of internal controls related to access to information including access to information, regulatory compliance, internal financial controls, segregation of duties and access, monitoring of activities to detect and prevent unauthorised access, as well as the recovery of information.
The cloud has become host to a variety of documents ranging from personal documents, banking information, corporate information including proprietary information. There have been cases where compromised data from organisations where it can have an impact on the goodwill on future profitability, as well as legal challenges related to the compromised data.
Need for Security Related to Cloud Storage
Data loss and unauthorised access is a major challenge. The mitigation of risk can be through the use of encryption protocols, redundant data storage, as well as ensuring the implementation of internal controls related to the storage of data. Another threat is the possibility of data deleted without a trace from the information system. The lack of storage procedures by the cloud provider or an or organisation could allow a malicious hacker to target
information. Information attacks could also involve eavesdropping on organisational operations through the information it stores. Consider the potential risk to the organisation, and the clients it services. An attack may be a direct hack or redirecting organisational URL.
An organisation could also use it with a denial of service That could stop an organisation from accessing information on the cloud or reduce access thereby lessen the efficiency of the cloud. Insecure applications interfaces and protocols can lead to an access point for third parties to access the information either directly or through intercepting information.
Cloud Service Provider Obligations
Review the terms of contract with the service provider related to how security issues are dealt with, what the provider is doing to ensure safety as well as their obligation, as well as that of the organisation. A review of the terms of service should be undertaken to ensure that it adheres to best practices related to information security. A review may include visiting the cloud computing site to determine security protocols; an organisation may use third party security professions if it does not have the necessary resources. Ensure that the responsibilities of both the service provider and the organisation documented to reduce any misunderstanding.
Obligations of the Organization
Ensuring security does not only rest with the service provider. Organizations need to ensure the implementation of adequate internal control policies and procedures. Ensuring proper internal controls which include proper access controls, segregation of duties, protecting passwords, and ensuring security patches are up to date.
The obligations to security remain even with cloud computing. A malicious insider such as a disgruntled employee could also pose a threat this includes downloading sensitive customer information. Proper physical, and electronic security control policies and procedures should be in place and enforced. Access controls should be granted and revoked on a per-need basis. As well regular internal control checks both from an information control and financial control standpoint should be undertaken.
Best practices such as ensuring strong encryption for data that is stored on the organisation's systems, ensuring proper control protocols per best practices. Organizations are responsible for ensuring information security not only the cloud provider. Well documented policies and procedures related to the access of information, usage, and storage should be in place.
Policies should be well understood, and routine audits should be undertaken to ensure compliance. A one size fits all policy cannot solve security issues. Security is a shared responsibility amongst all stakeholders.
Types of Clouds & Cloud Models
It is important also to understand the various types of clouds and cloud models. The security issues that surround it. Security issues will differ by the cloud topology; the fundamental security issues remain related to information security. The challenges may be complex depending on the type of cloud, or combination of clouds topologies.
Types of Clouds
IaaS – Infrastructure as a Service – cloud infrastructure typically allows organisations to run their software on various hardware from the cloud provider
PaaS – Platform as a Service – development platform which includes an operating system, and programming language.
SaaS – Software as a Service – Access applications via the internet, which may be based on a usage-based, or per user base.
Typical Cloud Models
Private Cloud – solely used by an organisation managed internally, or by a third party
Public Cloud - Services on a network that is open to the public
Community Cloud – Shared amongst several organisations
Hybrid Cloud – is a combination of two or cloud models
Conclusion
Cloud computing has security challenges ranging from traditional physical internal controls to those related to information security both from internal and external access it does offer advantages. The lack of Information Security checks can affect an organisation's statutory requirements, lead to the loss of competitive information such as customer information, or patents.
Cloud computing offers advantages including scalability for organisations that do not require a dedicated cloud service. It also can provide the flexibility to allow for organisations to tailor the usage to requirements. As well it can be a focal point for combining information from various sources for strategic decisions.
While cloud computing has its challenges and benefits, the use of cloud computing should not be dismissed or embraced fully without addressing concerns related to information security and service contracts. With dependence on information security throughout the organisation the importance security compliance to comply with national, or industry best practices should be undertaken.
About the author:
Hanif Shamji, MBA, CPA, CGA is a Finance Business Partner / Sr. Financial Analyst with an information technology background, experienced in several industries.
blog comments powered by Disqus