Here is an excerpt from an article that ran in Digital Guardian in late 2014. The entire article can be found here. Digital Guardian asked 27 cloud computing and data security experts, including Jessica Franken, to answer questions on cybersecurity and cloud computing. Jessica was asked:
When it comes cloud computing and data security, the number one issue most companies face is…
Adequate understanding of the cloud-based service provider.
Before moving forward with a cloud-based service, a customer should understand: 1) what data it will upload to the cloud environment; 2) whether any special security requirements, such as HIPAA, may apply; 3) how critical access to data and the services are to the daily running of the business; and 4) the unique requirements that will exist when the services end.
Adequate investigation of the cloud-based service provider before entering into an agreement is essential. Sophisticated providers will understand the data security requirements in the customer’s industry, have adequate security measures in place, have independent audits conducted that confirm the environment is secure, offer 99.9%-plus availability and have easily accessible support. Companies in multiple locations should also evaluate the location of the stored data and how the services are structured to avoid problems with data transfer restrictions and the system’s processing and response time.
Many cloud service providers offer on-line subscription agreements, which should be carefully reviewed before acceptance. Ideally, a customer will negotiate the terms of an agreement to insure that the security, service availability and support meet the customer’s needs.
Further, the responsibility, and costs, of handling a data breach should be addressed. Additionally, providers and customers should have a data breach policy in place with a well-conceived plan for handling a breach. Customers should ask the provider to bear the costs associated with addressing a data breach, including notifications, if the provider is responsible for the breach. Finally, companies need to monitor the provider’s performance against its promises, information released about security vulnerabilities, and stay abreast of legislation that addresses data security.