Businesses need to manage risks in the cloud

Businesses need to manage risks in the cloud

Businesses that deploy a cloud computing system need to take security and risk management seriously. Even though the cloud provider manages the technology side of security, a company can put itself at risk by depending on poor security protocols.

Cloud computing is neither inherently secure nor insecure. Instead, the technology's reliability is determined by how it is managed by those that deploy the solution. For example, a cloud provider can meticulously manage its virtual infrastructure to create a clear gap between virtual machines and turn each hosted server into a dedicated device from a security standpoint. This could couple with redundant power systems, offsite backup and other security systems to create an almost impenetrable cloud. But an end-user could log in to the server from a home computer infected with a keylogger, giving a hacker open access to the company's cloud. As a result, the cloud solution would be compromised, despite a secure IT infrastructure.

A recent SYS-CON Media report explains businesses need to clearly understand the risks associated with the cloud. This includes understanding that a cloud provider can be as secure as a top secret military installation and still not protect data because of employee negligence. Therefore, businesses need to deploy their own risk management and compliance systems to safely use the cloud.

According to the report, many businesses put themselves into a difficult position by moving to the cloud before they are really ready. The temptation is understandable. The cloud can reduce operational expenses, give businesses access to innovative software and hardware without forcing them into long-term commitments and make enterprise operations more flexible. However, the report said all of these benefits can be quickly undone if businesses move so quickly that they do not address the technology's risks and manage its impact on regulatory compliance.

One of the keys to ensuring security and compliance in the cloud, the report said, is not looking at the cloud as outsourced security services. It is tempting to give the vendor control of securing data once it has control of the information. On a physical level, this process is fine. But the report said businesses need to make sure they retain their policies for compliance and risk management even if they are moving to the cloud. Essentially, a cloud provider can manage the tangible aspects of security in many cases, but businesses are still responsible for handling all of the intangible, ideological effects of the new computing technology.

Managing risk in the cloud is often easier when businesses understand the risks associated with the technology and are prepared to respond appropriately if something goes wrong. A recent PC World report explains some of the areas that businesses should focus on to avoid falling into security pitfalls when using a cloud solution.

Access control is one of the most important areas to emphasize when develop risk management strategies for the cloud. According to the report, data stored at a third-party site may need to be accessed when businesses maintain servers and perform other basic activities. It is not a situation where a cloud vendor's employees will necessarily need to analyze a company's data, but they may be exposed to information that is normally confidential as part of their work day. Therefore, businesses need to put access control policies in the service level agreement to limit who can work on servers. Carefully controlling access is also important within the company, where passwords should be closely guarded and only given to employees who genuinely need the software, the report said.