Cloud Security

Cloud computing has become one of the hottest options for industry to save infrastructure and maintenance cost. Cloud computing has its roots in Software as a service (SaaS) architecture and takes it one step further. Cloud computing provides a way to be flexible in terms of adding computer resources on the fly without investment in infrastructure or maintenance. Cloud option seems very optimistic to most organizations but many of them failed to realize the critical decision factors behind choosing this as a viable option.

Security is one of the most critical factors, which should be analyzed appropriately before choosing cloud option. To ensure the security of organization database systems on cloud ,  first step should be to ensure the selection of the right vendor by analyzing the vendor background and history. Vendor plays the most critical role because once data moves out of the organization premises then company relies on vendor to secure and protect that data. Vendor should have good financial background and history to be shortlisted as one of the possible vendors. Vendor needs to prove the credibility by providing the transparency of their data back up plans/policies and disaster recovery plans. Data security is not always about outside attack; data is also vulnerable to natural catastrophes as well and vendor should have required procedures and policies to recover from the disaster. Second, it is very important to analyze vendor procedures and policies about user authentication and authorization. Cloud is meant to be accessed from anywhere such as mobile devices, Computers etc. at any time, provided that appropriate available on the platform. This provides flexibility to the organizations but adds additional risks of how the password related information is stored and transmitted when cloud is being accessed from these platforms. Authentication and Authorization ensure access to right piece of information by right set of users; hence protect organization data. A good authentication and authorization procedure coupled with single sign on logins or strong passwords requirements can help in fraud detection and data protection. Next step should be ensuring the data on cloud is regulatory compliant. It is very important to understand how vendor ensure the regulatory compliance because as the data resides on vendor systems any regulatory implications such as HIPAA, Sarbanes Oxley compliance play very critical role and hence should be addressed in the most appropriate way. If actual data is moving out of the country then it becomes even more important to analyze and understand the privacy and regulations implications of the data. Next step should be to analyze how vendor ensure effective co-residence. Cloud vendors offer usage of their resources to multiple clients so there is high possibility that same system where the organization data resides is being shared with the competitor. This co-residence can lead to serious security issues and it is important to analyze how data is isolated from other customers of the vendor. Next step should be to get an idea about vendor policy on security audits to understand how the given vendor can act pro-actively and can try to avoid occurrence of any security incidences. Another important attribute is external interface. To be able to access any application or data from cloud, vendor exposes interfaces and API’s, often called middleware, to the customers. These interfaces act as a gateway to access data on cloud. Therefore, next step should be to analyze that there are no security loopholes or bugs in these interfaces and APIs. As it is important to protect data from outside attach so is to protect data from inside attack. Therefore, it is important to analyze security compliance with respect to physical access to the data. Easiest way for someone to get the confidential data would be to access it physically, if possible. Therefore it is important to ensure security from the perspective of hardware, data center, people and processes. Once the organization has analyzed above mentioned points then organization needs to decide if organization wants to move the entire data to the cloud or would want to retain the confidential data within organization. This is important because this critical and confidential data could be back bone of the organization and organization may not always afford to put such data on cloud.

Database systems are the most important asset for any organization and therefore all above discussed security concerns needs to be addressed and protocols should be established to bridge the gap, if any.