The cloud security checklist

Think your data will be safe in the cloud? Here are six tough questions for your cloud service provider.

Whether you're a small business relying on Google Docs for document sharing or an enterprise moving your global ERP system to the cloud, you should demand that some common security and compliance requirements are met by vendors providing applications and services over the Web. These requirements involve who can access your applications and data, as well as the systems hosting them; where the data is stored; and whether the data is hosted on dedicated, rather than on shared, hardware. They also ensure that you get detailed logs of who has accessed your data and applications so that you meet corporate and regulatory standards, and they verify that data is properly encrypted -- a factor that's more critical outside the corporate firewall.

What you demand of the cloud depends on your corporate standards and your compliance needs, the amount and type of workloads you're moving to it, and how you are dividing administrative and security responsibility between your staff and your provider. Security requirements also vary depending on whether you're using software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.

1. Who has authentication/access control?

The ability to prove that users are who they say they are and control the data they can see and the functions they can perform, based on their identities and roles, is the top priority of almost every cloud user interviewed for this story. Authentication can be the most challenging when you maintain user information and controls within the firewall using a repository such as Active Directory but host your servers and applications in the cloud.

The ideal is a "federated" identity management access system that pools authentication information from all of your organization's systems -- internal and external. This allows instant authentication of any user who presents the proper credentials, such as a password or a password and a token. It also provides for single sign-on, allowing users to access all of their applications and data, in-house and in the cloud, with a single username and password. While top SaaS providers have the infrastructure to provide single sign-on to large customers that are themselves equipped to serve as "identity providers," many smaller service providers and their customers lack those capabilities, says Eve Maler, an analyst at Forrester Research.

However, because federated identity management can be expensive and cumbersome to implement, many organizations settle for a "synchronized" approach in which different copies of a user's authentication information are maintained by different applications, says Maler. This can compromise security by spreading user credential data among multiple locations and companies. It can also create delays between the time that an employee's access is withdrawn from internal systems and from a cloud-based application, creating a potential security gap.

To continue reading this article register now

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon