Does your organisation understand the risk, compliance and business continuity requirements for cloud data security?
Data Security is a material consideration for a business when assessing which cloud model is the best fit for your organisation. There are generally three recognised cloud models: public, private and hybrid clouds.
We have previously explored at the pros and cons that these cloud models offer a business, such as cost savings and improved outcomes for individuals and organisations.
This month, we look at what a business should understand about assessing and mitigating risks of moving into the cloud in particular when considering Data Security.
Assessing the risks
Regardless of the model, security of data is a material consideration across all three Cloud variations when deciding which model is the best for for your organisation. When assessing the risks to data in the Cloud it will vary depending on a number of factors.
These factors include:
- The sensitivity of the data to be stored or processed
- The criticality of the business process and
- How the chosen Cloud service provider has implemented their specific cloud services.
Quay recommends adopting a risk-based approach to deciding how the Cloud fits into your business, and we explore below some key considerations when making your Cloud decisions.
Maintaining Availability and Business Functionality
Maintaining availability and business functionality must be looked at in the context of what your business needs to operate, in particular:
- Consideration should be given to Service Level Agreements, what the vendor’s disaster recovery plan is for both system and data availability and how this works in practice.
- Understanding the physical location, network connectivity, data storage and physical infrastructure for both live and back-up data.
These are important considerations when assessing whether or not you feel the solution you are planning to implement is robust and secure enough to not put your critical data and processes at risk in the event of a failure.
Protection of Your Data from Unauthorised Access by a Third Party
Brute-force attacks and intrusion by a third party is a vital consideration when choosing your organisation’s cloud model.
It’s important to understand the pros and cons of a less secure public cloud through to the most secure private cloud option to gain insight into the cost and benefits of securing your data.
Consideration should also be given to:
- The sensitivity of the data
- Legislative requirements
- Physical location where the data is stored and
- The local laws regarding access and the applications of encryption technologies.
You might even find that the public cloud may have stronger data protection than you can afford under a hybrid or private cloud model.
However, it’s not just about securing the data from unwanted attacks and access from 3rd parties.
Consideration should also be given to where a hybrid cloud is used (or a shared private cloud) as to what limitations are in place to prevent access to the data from others sharing the cloud and even the vendor’s employees.
Are Sufficient Incident Management Protocols in Place?
There is another critical area we believe worthy of mention and it focusses on the process.
Where multiple IT services operate to provide the business service, you need to ensure that each IT component has the appropriate SLA in place to meet your requirements.
Where vendors are involved, there are several points to investigate as part of your decision-making process, for example:
- The systems they use
- Evidence of their actual response and resolution times and
- Their business continuity plans are all worthy of investigation.
- Any touch points or hand over points that may slip between the cracks in terms of support during an incident.
Often it is how vendors respond when things go wrong that is the true measure of the quality of the service they are providing.
Understand the Implications for Risk, Compliance and Continuity
The decision to move to the cloud is not just about having scalable infrastructure or software as a service.
There also needs to be due consideration of the processes and information being shifted and the implications from a risk, compliance and business continuity perspective to ensure the right mix for your business is achieved and your data remains as secure as possible.
We believe that quality thought leadership is worth sharing and encourage you to share with your colleagues. If you’re interested in republishing our content, here’s what’s okay and what’s not okay.
To speak to our team about how we can help your business deliver better projects, please contact us.