The three A’s: authentication, authorization, access control. Here are some questions to ponder about a cloud service:
- How often does it clean up dormant accounts?
- What kind of authentication is necessary for a privileged user?
- Who can access or even see your data?
- Where is it physically stored?
- Does your organization share a common namespace with the service (something that greatly increases risks)?
- Are private keys shared among tenants if a data encryption is used?
- Ask your cloud vendor these questions. Get answers.
A public cloud service can come with several problems that will impact your business. They do have remedies, but hey, who wants a problem that needs to be fixed in the first place?
Related Article: It's Time to Make The Switch: Cloud-Based CRM Solutions
Here are some questions to ask first: Who can gain entry to the data in a cloud service—your service? Can a crook somehow bypass verification and sneak in? Do you even know who has authorization to access your business’s cloud?
There are other factors to consider as well. Does your cloud service, or one you’re considering, have a regular habit of ridding inactive accounts? Who might be able to get a look at your data? For those who are indeed authorized to do this, including yourself, what steps must they (and you) take to gain access? And suppose encryption is in place. Will the same private keys be used from one user to the next, or will all authorized users have unique keys?
Make a list of additional questions not covered here, and bring all of these questions to your current cloud service, or one that you’re considering using.
A user of a cloud service can’t help but wonder about the service’s other customers, namely, what are the odds that your data could somehow, some way, slip out and get into the hands of another tenant of that service? Could this happen by accident? What about maliciously? Imagine the mayhem that can result if your sensitive information gets out to another tenant. The sky’s the limit it seems.
Other Questions to Ask
Do you know what virtual exploits refer to? If not, ask the vendor. Make sure the vendor gives you a thorough explanation. Cloud services have virtualization tools, and you should know about these. When there are security updates, who makes the updates? How often are these?
Read the doggone contract! You’ll be surprised what you might find. For example, don’t be shocked if the contract states that your data is the property of the cloud service. Now why would a cloud service make this claim? They may be able to generate earnings by “owning” your data. And it gets them more legal protection in the face of a breach. So you’d better read the contract word for word.
Related Article: 6 Industries that Could Benefit from the Cloud
Is it possible for a cloud service to lose your data, as in, it gets swallowed up by a black hole? Though a cloud service may claim they have top-flight data backup systems in place, this is no guarantee that your data might one day end up in the Bermuda Triangle…vanished off the face of the earth. Though the cloud may seem like the backup system for your data, you actually have to back up the data you have in the cloud storage.
Don’t trust something in cyberspace. Have a physical backup, like a flash drive. And go one step further: Make sure that the contract says you’ll be compensated for damages should your data get lost or stolen.
Cloud services are like real clouds: They have holes; they’re not solid. This is relatively new technology and it needs time to arrive at a point where all possible risks can be laid out and analyzed—for individual vendors as well as the cloud service industry as a whole.
In the meantime, learn about the history of the vendor and its customers. Anything grab your attention? Find out how the vendor alerts customers about data breaches. And get ahold of the service’s most recent audit report.