Nigel Griffiths, chief operating officer of Certus TG, explains why concerns around cloud security are easily allayed, and should not discourage businesses from taking advantage of the technology’s exciting potential.
Cloud computing is one of the most significant advances in IT in recent years. Given the changing nature of workforces and the increase in flexible working, providing access to data wherever an employee is based is a huge benefit. Nevertheless, one issue that continues to plague its mass take-up is security.
Data security is paramount to the business investing in cloud infrastructure and to the cloud provider itself, whose reputation rests on the protection it can offer its customers. To this end, providers regularly offer robust data encryption procedures alongside a range of authorisation measures, access controls and backup processes. These multiple layers of protection mean that customers can be confident in the security of their data.
However, for any company accustomed to traditional data storage on their own premises, trusting data to a third party will always feel like a risk, regardless of the benefits. The more sensitive the data, the greater the unease at relinquishing control, for example where personal health information or credit card details are concerned.
There are three potential sources of security risk that cloud providers must ensure against: access from those outside of the customer’s business, including hackers; inappropriate access from within the customer’s business; and access to data between different customers of the same cloud.
Cloud encryption systems are becoming a commonplace method to protect data from external attacks. Information is encoded using a complex algorithm, which can only be decoded using the encryption key. While it is possible for hackers to crack encrypted data, they do not generally have access to the amount of computer processing power they would need to do so.
Businesses using cloud services should always aim to manage encryption keys themselves. These arrangements are sometimes referred to as ‘zero knowledge’ policies by providers: customers are provided with the encryption key by a middle-man service, ensuring the cloud provider has no access to the keys themselves. This ensures no one outside of the organisation has access to the data.
Another common control mechanism for protecting against internal and external access to data is to create usernames and passwords before anyone can access the data. Again, businesses should ensure that passwords are not shared with the cloud provider.
Many cloud customers request multiple levels of authorisation to regulate access to date from within their business. This ensures that only certain individuals can access particular information. For example, a front-line employee may be allowed a limited amount of access, but the head of human resources an extensive amount.
Thirdly, cloud providers must ensure that different customers cannot access each other’s data. Most cloud providers operate on a multi-tenancy basis, where data from different customers is held side-by-side on the same servers. This has long been an integral part of secure cloud-based applications, but can leave customers concerned that their data may be visible to other clients. However, just as a block of flats will house many tenants, but require each to provide their own front door key, access is controlled for each customer with usernames, passwords and data encryption. When a customer logs in to the cloud system, they are not aware of any other customers using it simultaneously and see only their own data.
In an ever more competitive marketplace, it is in cloud companies’ interests to maintain top-level security processes. A reputable provider will make significant ongoing investment in security measures, to ensuring they have the most reliable and advanced data protection systems in place.
There are also steps you can take to ensure your data’s safety. Different businesses have different needs and concerns, so carefully consider your specific security requirements when selecting a cloud provider. Ask questions of potential providers to ensure you know how your data will be handled and protected, and what procedures are in place in the event of a breach or a virus. It’s crucial to know how, and how often, backups of data are taken, and how this data is protected from corruption.
However, it’s not only a case of asking the right questions. Ensuring that you hold your own encryption keys, and regularly refreshing passwords, will also help with security. Resetting passwords will also help avoid misuse of data by former employees who may still hold log in details, something that can have far-reaching consequences for employers. This can also be combatted by staying in regular contact with your cloud provider, to ensure that access rights of former employees are revoked as soon as they leave the company.
Despite even the most robust assurances, there may still be unforeseen circumstances which affect data security. It is vital that you and your cloud provider have contingency plans and recovery procedures that are ready to mobilise should a security failure occur. Ninety-one percent of businesses fail to have an IT strategy in place to combat a disaster situation, and given the cost of corporate downtime to a business, the effects can be disastrous.
Customers should rightly be concerned with the protection of their data. However, the ever-growing popularity of cloud computing is evidence enough of its safety. As long as a business takes time to select the cloud provider which best suits its needs, as well as introducing all of the security measures you can implement as a business, all it will have left to do is to reap the unprecedented benefits that accompany cloud computing.Back