Data stored in public clouds can be compromised as a result of failures in a provider’s security technology or its operational security practices, and this is a major risk in a multi-tenanted system where business competitors share the same IT infrastructure. If you have internal policies for information governance that encompasses security then you must ensure that your cloud provider takes security as seriously as your business – some key security questions are provided below. And it is important to be aware that you are responsible for keeping your confidential customer data safe, not your cloud provider!
Security technology failures
An example of a security technology failure in a public cloud was the bug found in Google Docs (a Software as a Service system) in March 2009 that led to a small percentage of documents being inadvertently shared with unauthorized users (Mazzon, 2009). But the fact that, at the time of writing, it was difficult to find any other significant examples, despite the large number of cloud computing providers and media attention, speaks volumes. It is in the interest of these providers to secure their systems, and they typically have far more resources to devote to the problem than their customers.
Operational security failures
An example of an operational security failure in another Software as a Service system was the Twitter hack of January 2009 where a hacker gained access to system support tools and took temporary control of the Twitter user accounts of President Barack Obama, among others (Twitter, 2009). In the Twitter example the hacker allegedly took advantage of a weak password on a support user account to gain access (Zetter, 2009). Again it is difficult to find further examples, and it is unlikely that providers of more business-critical cloud-based systems would be so careless in their use of passwords. But cloud providers are well aware that the most common fear about cloud computing, particularly in public clouds, is over security and a number of them have joined forces to form the Cloud Security Alliance, a non-profit organization that promotes best practices and provides comprehensive (and free) cloud security guidance documents at http://
www.cloudsecurityalliance.org/.
Key security questions
Chapter 5 provides further guidance on choosing suppliers, but here are some key questions to ask them about the security of their systems with regards to their technologies and operations:
- Are security tests an integral part of their software development cycle?
- Are security issues specifically addressed in technical training programmes?
- Are non-technical employees made aware of security issues when they are trained?
- Are third-party security audits performed, and, if so, by whom, how thorough and how often?
- What operational policies and controls are in place, what do they cover and are they assessed by third parties?