As a small business, jumping into the cloud may feel like you’re giving away control of both your IT and your business data. When evaluating a cloud service, you need to consider the security of your end devices such as PCs and laptops, the connection to the cloud, and the cloud service itself. Following are five key security considerations you should investigate to ensure the confidentiality, integrity, and availability of your data to help you make the best cloud service selection for your business.
1. Secure data transfer. All of the traffic traveling between your network and a cloud service must traverse the Internet. Make sure your data is always traveling on a secure channel. For example, if you’re using a browser to connect to the provider, make sure the URL begins with “https.” Also, your data should always be encrypted and authenticated using industry standard protocols that have been developed specifically for protecting Internet traffic, such as IPsec (Internet Protocol Security).
2. Secure software interfaces. Be aware of the software programs or methodology used to interact with cloud services. According to the Cloud Security Alliance, ”Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability, and accountability.”
3. Secure stored data. Your data should be securely encrypted when it’s on the provider’s servers and while it’s in use by the cloud service. Ask potential cloud providers how they secure your data not only when it’s in transit but also when it’s on their servers and being accessed by cloud-based applications. Find out, too, if the provider securely disposes of your data, for example, by deleting the encryption key. In addition, make sure the data stored in the cloud is backed up and that you’re also applying the same provisions for securing data to the PCs and laptops in your office.
4. User access control. This applies to both your end devices and a cloud provider’s server. You should consider the sensitivity of the data you’re allowing out into the cloud. Also, ask providers for specifics about the people who manage your data and the level of access they have to it. You want to clearly define who has access to what data, how they can access the data, and what they can do with that data.
5. Data separation. Every cloud-based service shares resources, namely space on the provider’s servers and other parts of the provider’s infrastructure. You want to make sure there’s a clearly defined and secure file structure in place so that your data does not intermingle with the data from another business.
Michael “Miguel” Sanchez, a Certified Information Systems Security Professional (CISSP ), is Marketing Manager for Small Business Security Solutions at Cisco Systems.