Bolstering Security
Experts say organizations should take steps now to protect themselves and their customers from cloud-related security vulnerabilities. One important task is to ensure that their security and legal teams carefully review and vet their service contracts.
"This is really the most important risk mitigation factor for most cloud services, as you are fundamentally outsourcing and need security assurances that are legally binding," Shackleford says. He recommends that companies use the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance (CSA) as a guide to the questions they should ask cloud vendors about their security controls.
"Use this and the Cloud Controls Matrix, also from the CSA, to ensure that you're looking at the right controls and asking the right questions of any providers," Shackleford says.
Companies should also perform regular penetration tests of their cloud-based assets to assess how vulnerable they might be. However, Shackleford says, "this will usually require some negotiation with the cloud providers."
The most important thing to do is to "define the complete risk environment for all IT assets prior to moving systems, applications or data into the cloud," says Irvine. "The risk evaluation needs to include not only the cost savings or expenses associated with the move, but also the effects of potential loss and downtime."
Critical business systems or confidential information such as financial data and intellectual property might be too sensitive for systems that are publicly accessible in the cloud, Irvine says.
Your contract with a cloud service provider should include "a clause requiring complete declaration of all outsourcing or third-party service providers being used by your cloud partners," Irvine says. "These service providers need to be held to the same service-level agreements. However, the cloud partner needs to be held responsible for any actions, deficiencies or negligence of their service providers."
Cloud providers, for their part, "need to be more diligent about recognizing the shortcomings of the existing architecture," Gilmore says. "While I can relate to the need for deploying solutions in a rapid fashion, I also believe the providers owe their customers the due diligence on ensuring [that] data and resources are safe and secure."
It's vital to audit and update the cloud infrastructure on a regular basis. Users of cloud services should ensure that they completely understand the security architecture of their providers and act accordingly to bolster their own security where needed, Gilmore says.
"Doing things such as implementing an internal Web security system is really a no-brainer, but you'd be surprised at how many enterprises fail to do this," Gilmore says.