Cloud computing concerns - Questions to ask an online backup provider
This article is written by Damon Petraglia, Director of Forensic and Information Security Services, Chartstone and is the third in a series of cloud computing and IT security experts (see articles Mitigating the Risks of Cloud Computing and Top Cloud Computing Concerns) who share their experiences and expertise on how to overcome the common security concerns of cloud computing.
The cloud computing implementation concerns below are common and have been expressed to me during my work assessing the security of cloud environments. In addition, law enforcement and jurisdictional issues are a concern if there is a breach or crime committed involving the cloud and / or specific data.
As of this moment the standards for cloud computing security are still in their infancy. The National Institute of Standards and Technology (NIST) has published a few documents regarding security of cloud computing. NIST special publication - Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) provides a good overview, however it is not mandatory for the private sector or non-government cloud to implement the security measures discussed.
Payment Card Industry (PCI) also has specific requirements but these are only applicable if the cloud is processing, storing or transacting credit card data.
Finding a cloud computing provider you can trust
Most client companies will base their decision of trust on a few factors, price and features the consumer wants in using the cloud. Request access to security assessment reports to help make decisions based on the actual security posture of any particular cloud.
Ask the provider where your data is physically stored. If the provider cannot answer that question, you should question how they can secure your data if they don’t even know its whereabouts.
Cloud computing matters to consider:
No system on this planet is 100% secure. Some cloud providers have a lot at stake including financially and reputation, so they take security seriously, but they are also targets for attack. Until we have solid standards, guidelines and requirements each cloud is sort of “on their own” for implementing security. Some clouds are more secure than others, I have seen this, but until you know the actual security posture of the particular cloud, you have no way of really knowing. The consumer’s confidence must come from a risk-based decision based on the type or sensitivity of the data they plan to use or process in the cloud.
Questions to ask your remote data backup provider:
If you’re using the cloud to back up your data, here are a few questions to ask your provider:
- How many copies are being stored, and in how many places?
- How often is my backed up?
- What if I upload 1000 files a day to the cloud but the cloud only backs it up once a week? If this is the case, would I have then lost 5000 or 6000 files that I would have to recreate?
- When my data is stored as a back up, how is it protected?
- Is it encrypted?
- Is it on a tape locked in a room?
- What is your recovery interval? In other words, how long will it take to restore my data?
- Are others ahead of me?
- Can I pay extra for priority service?
- Is my data dependent on other data or applications that must be recovered first?
Looking into moving to the cloud, but not sure where to start? Register for a free webinar on the Five Steps to Understanding and Implementing Cloud Computing.
