Security in the Cloud

Much fuss has been made over security concerns relating to cloud computing.  Just as cloud computing proponents tout the efficiency, scalability, and ease-of-use that come from leveraging the capabilities of the cloud, detractors highlight the dangers inherent with corporate data being stored in an unknown location, on an unknown number of systems, and protected by unvalidated controls.  At the end of the day both groups have fair points, but it is important to recognize that cloud computing is here to stay and despite the unknowns, many organizations will look to the cloud as a way to increase efficiency and reduce costs.  How, then, can organizations ensure that critical data and processes are protected while still realizing the benefits of cloud computing? It is critical that companies determine an appropriate approach to, and use for, the cloud.  In some cases, certain organizations may have data that is considered so confidential or critical that cost savings are not worth the risk of data compromise or loss.  In order to identify such circumstances, a risk analysis that enumerates threats, vulnerabilities, and potential impacts should be performed.  A key criterion for proper assessment of risk is the accurate classification of data; ensure that data is classified appropriately so that particularly sensitive or critical information is not accidently put in the cloud.  Additionally, compliance requirements should be examined to ensure that any changes do not negatively impact compliance status.  Once the risk analysis has been completed, certain mitigating controls may need to be implemented to account for unknowns in the cloud infrastructure.  For example, controls that would typically reside in lower tiers may need to be implemented in applications.  After implementing and assessing these modifications, an initial migration to the cloud can begin.  Keep in mind, though, that it is also important to develop a process for assessing new applications and data before they are moved to the cloud, as well as periodically reassessing systems and information that were previously deemed cloud-appropriate; this is fundamental to ensuring that cloud-related risks are considered on an on-going basis. While there are certainly challenges facing organizations looking to leverage cloud computing technologies, these challenges are not insurmountable.  With a well-devised approach, including assessment and mitigation of cloud-specific risks, organizations can realize the benefits of cloud computing while still protecting critical data assets.