Security Management in Cloud Computing
Some questions to clarify with the potential vendors of Cloud Computing.
- Security measures. What are the security measures taken by the vendor to protect the client organization data? The cloud service vendor must have systems in place to protect against viruses, hacker attacks or other hazard for the information more effective than those that the individual user could afford. Before choosing the cloud partners, the customer must always consider that, relying on a remote vendor, s/he may lose control over their data directly and exclusively. On the other hand, a reliable vendor is able to ensure a far greater security than that many organizations can afford in their own premises.
- Vendor of Cloud Computing services. Who is the real vendor of the service the organization is acquiring? Is it a single organization or a consortium of organizations? The chosen service may be the result of a “chain of transformation” of services provided by other service providers, other than the one with which the customer enters into the contract of service.
- Availability of service and emergency plan. In case of problems with the telecommunications links, the company must still be able to continue to use the services without access to the cloud? How quickly the system can be restored and from which point? There are plans for essential services? The virtual service, in the absence of adequate safeguards regarding the quality of the network connectivity, may occasionally deteriorate in the presence of cyber-attacks, peaks of high traffic or even become unavailable when abnormal events or failures that prevent accessibility to temporary data occur.
- Retrieving data. Is it possible that the data on the cloud can be lost or destroyed? Natural disasters or cyber-attacks could affect the operation of some data centers. It is particularly important to identify possible procedures for data recovery and business continuity and quantify the economic impact on the organization of the loss or deletion of data stored only on the cloud.
- Confidentiality. Is there a guarantee of confidentiality for customer data in the event that a competitor shares the same cloud services? Vendors might store data of individuals and organizations who might have interests and needs different or even conflicting and competing objectives with other tenants of the same Cloud Computing vendor. It is therefore appropriate to assess the guarantees offered to protect the confidentiality of information transferred to the cloud.
- Location of the server. In which nation the vendor will keep the data loaded on the “cloud”? The identification of the place where the data is stored or processed has immediate repercussions on both the legislation applicable in the event of a dispute between the customer and the vendor, both in relation to national regulations or laws governing the treatment, storage, and security of data. The privacy regulations, in order to protect the persons concerned, provides that the data can be “exported” to countries outside the European Union only in specific cases and when both offer adequate protection to that provided by Community legislation.
- Migration. The technology used by the cloud vendor is owned by them? Can data be exported easily? The adoption by the service provider’s own technologies can, in some cases, make it difficult for the user to migrate data and documents from one system to another cloud or the exchange of information with individuals who use cloud services vendors different, putting at risk the portability and interoperability of data.
- Insurance on damage. In case there is a breach or data loss, the vendor provides a prompt relief? The current regulatory uncertainties can make it difficult and costly to be able to obtain adequate compensation for damages suffered as a result of violations, loss of data, or even temporary interruption of the service cloud.