James H. Clarkson, Jr., CPA
More and more, businesses are moving to cloud computing, signing up with private providers that make sophisticated applications more affordable as well as setting up their own accounts with public social media sites like Facebook. The trend is confirmed by Microsoft in its global SMB Cloud Adoption Study (2011), which found that 49% of small businesses expect to sign up for at least one cloud service in the next three years.
Private and public clouds function in the same way: applications are hosted on a server and accessed over the Internet. Whether you’re using a Software as a Service (SaaS) version of customer relationship management (CRM) software, creating offsite backups of your company data or setting up a social media page, you’re trusting a third-party company with information about your business and, possibly, your customers.
Although cloud computing can offer small businesses significant cost-saving benefits — namely, pay-as-you-go access to sophisticated software and powerful hardware — the service does come with certain security risks. When evaluating potential providers of cloud-based services, you should be sure to ask the providers how they address these five security concerns:
1. Secure data transfer. All of the traffic traveling between your network and whatever service you’re accessing in the cloud must traverse the Internet. Make sure your data is always traveling on a secure channel; only connect your browser to the provider via a URL that begins with “https”. Also, your data should always be encrypted and authenticated using industry standard protocols that have been developed specifically for protecting Internet traffic.
2. Secure software interfaces. The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces, or APIs, that are used to interact with cloud services. Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability. Understand how any cloud provider you’re considering integrates security throughout its service, from authentication and access control techniques to activity monitoring policies.
3. Secure stored data. Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications. Find out too if the providers securely dispose of your data, for example, by deleting the encryption key.
4. User access control. Data stored on a cloud provider’s server can potentially be accessed by an employee of that company, and you have none of the usual personnel controls over those people. First, carefully consider the sensitivity of the data you’re allowing out into the cloud. Secondly, ask providers for specifics about the people who manage your data and the level of access they have to it.
5. Data separation. Every cloud-based service shares resources, namely space on the provider’s servers and other parts of the provider’s infrastructure. Software is used to create virtual containers on the provider’s hardware for each of its customers. Investigate the compartmentalization techniques, such as data encryption, that the provider uses to prevent access into your virtual container by other customers.
Although you should address these security issues with the cloud provider before you entrust your data to its servers and applications, they shouldn’t be a deal breaker. Cloud computing offers small businesses too many benefits to dismiss out of hand. After all, you already met many of these security challenges the first time you connected your network to the Internet.