Top Threats to Cloud Computing #4: Lack of Due Diligence

*This is part 5 of a 5 part series on cloud computing security. You can read part 1 herepart 2 herepart 3 here and part 4 here.*

It’s hard for the average person to keep up with the deluge of new technology out there; it’s not exactly a piece of cake for most IT people either. “The cloud” is getting a lot of attention right now for offering great solutions to typical enterprise problems, but with the hype seems to come misinformation or myopia. If you’re considering moving to the cloud (or you’re already in it), you need to know how exactly it’s going to affect your day-to-day operations, both when it’s up and when it’s down. So when using any cloud computing provider, make sure you know the answers to the following questions:

  1. What are the incident response procedures like on both ends (yours and theirs)? The cloud will go down, albeit rarely (hopefully very rarely). When it does, understand the end to end process. Does the provider have a dashboard where you can check for outages? How do they communicate with their customers during an outage? What are steps that you can take on your end to keep things functioning? What’s the backup plan? How long do their outages usually last? You’ll want to arm yourself with this knowledge so that if there is an outage, you’re prepared to start dealing with it immediately.
  2. Who’s responsible for encrypting what? Don’t assume that when your data goes into the cloud that your provider is handling it correctly with no input from you. What kind of encryption do they use? What kind of security certifications do they have? Is their encryption sufficient for your needs, or do things like HIPAA and PCI dictate that you add another layer of encryption on your end? A lot of people assume with the cloud that their data is safer, and that can be true, but it needs to be verified before you proceed.
  3. Who’s monitoring security on both ends and how? Hackers certainly aren’t going anywhere and in fact seem to be increasing in both number and ferocity – what is your cloud provider doing to prevent a breach? And for that matter, what steps have you taken internally? Because you’re not any less of a target than they are just because you’re smaller. Have you explained to your employees the difference between http and https? Do they know not to access sensitive company information over the unsecured WiFi at the local coffee shop? When it comes to security, the onus is on both sides to provide it, but you and the cloud provider may be covering different bases.

Yes, most cloud providers have been at this cloud computing game for a while and do a pretty good job with things like security, encryption and outages. But if something goes wrong, your boss is going to come looking for you first. Doing your homework on the front end and making sure you know exactly what both sides need to provide in order to make the relationship work can save you major headaches on the back end.