Cloud computing and security breaches
In today's high tech environment, you can't go a day without hearing in the news that yet another company has been hacked and data has been stolen. Even more ominous are the headlines that government entities are involved in the hacks. Much of the stories involving data breaches have been tied to information stored on the cloud; given the trend to move to the cloud, it is even more critical that your cloud solution addresses these security concerns. The good news is that if planned correctly, these security concerns can be mitigated. There are 3 areas that you need to consider in order to address your security concerns: security measures, data protection and data center security procedures audit rights.
Security measures can include industry standard certifications such as SAS 70 or PCI Security. If industry certifications will not meet your security needs, you need to discuss your specific needs with the cloud vendors. Also ask where the data centers are physically located since it may impact governing law and jurisdiction in case there is a dispute. Your organization may also have regulations that require your data be held in US locations only. Also ask what the procedures are in case of a data breach. How will you be notified? will you be given the nature of the breach? What information was compromised?
Data protection should include backup plans for your data as well as access to your data at all times. One overlooked detail is who owns the data; you should clarify that you maintain ownership of the data. Furthermore, it is important to ensure that your agreement contains provisions for the cloud vendor to provide a complete copy of all your information and data upon a written request. Vendors may charge a fee and the fee should be determined upfront. Retrieving your data in the event that you terminate your business relationship with your vendor should also be clarified.
Lastly, your organization should have the ability to conduct an audit of your cloud vendor to ensure compliance with your security needs. This will allow your organization to be proactive in minimizing security risks. Unfortunately, data breaches aren't going away anytime soon so your organization needs to be doing everything possible to mitigate your exposure.