Cloud Security Awareness and Governance
The cloud computing is a business way that transform your business into a profit making enterprise by saving money and generating return on profits. The SaaS applications are getting much attraction of the world and accepted by organization to save cost in their in-house software development. PaaS gives an enormous platform for the development of software applications. IaaS integrates your enterprise network with the cloud computing virtual environment. The SC magazine published six predictions in cloud. These security concerns are well rooted in the cloud computing. Though cloud is consider as secure environment, however, there are still security and governance concepts that are not addressed which will possibly take on the future developments as listed below:-
- Jurisdiction issue, already in picture but will be ignited further with litigations
- Surveillance laws versus the cloud consumer rights. It is a conflict between the National Security and Consumer protection
- Viability of the cloud service provider to sustain the business
- Privacy protection vs publicly held information by the cloud service providers
In one of our pages on cloud governance, four important aspects of cloud governance are shown that is Transparency, Legal Protection, Compliance and Accountability. These four elements are very important to provide security governance in the cloud domain while interpreting these elements in the light of actions performed by the cloud service provider. The interpretation of these four elements are suggested in the following sense:-
- Transparency means disclosure of relevant information for the benefit of the cloud consumer by the cloud service provider. It is a universal principle of good faith "Caveat Empter" written in the consumer laws that the seller must provide relevant information that will help the consumer to make the correct decision by the information. This is a process of transparency that will ease consumer to select cloud services. In long run, disclosure by the cloud service provider regarding services will automatically build the trust for the consumers.
- Legal Protection means providing right of jurisdiction to cloud consumer. In majority of the on-line contracts and agreements, the choice of jurisdiction for litigation is avoided by the cloud service provider. The cloud service provider which gives choice of jurisdiction actually resolves legal implications and build more trust with the cloud consumers.
- Compliance means the cloud service provider takes compliance to standards, Laws, regulations, contracts and agreements seriously. For example security compliance of cloud service provider to ISO 27001:2013, PCI Compliance, HIPAA shows seriousness to security governance and protection of data. It also gives an indication that cloud service provider has the processes in place that will ensure that the data of the consumer is protected in physical as well as virtual environment.
- Accountability means remedies provided for any breach of agreement, data protection and security. The transparency, legal protection and compliance reinforces the accountability and cloud consumer can seek actions against the cloud service provider in case there is any violation
Lets look from the perspective of security. Suppose you have a nice server at your office and you keep all your data there. You also provide firewall, anti-virus and IPS to protect that data. You might have a whole team working day and night to establish protection. You may also have planned the disaster recovery and business continuity planning. You might be ISO 27001, PCI Compliant or HIPAA compliant company. But these all incurs cost on your company.
Lets see how a good cloud provider look like. They have big data centres with compliance to every security standards. This shows their security seriousness. They have all the professional staff working to protect the data from any breach. The data center might have firewalls, anit-virus and IPS for protection. They have automated disaster recovery in plave with 24/7 access to data.
Both of the above mention sceneries look same but there is a big difference for the following reasons:-
- Cost in cloud is less as compared to in-house data centre
- Rapid scalability is present in cloud data centres.
- Breach of security to cloud data centre means they will loose the customer.
- Cloud data centres have the best policies and hardware to protect your data.
- Compliance to security and privacy standards means that cloud data centres are serious about security.
- Disaster recovery is automated.
- You don't need to hire security professionals to protect your data
Statistically, Cloud data centers provide you (SMEs) with better security then in-house
Risk management by your company can decide on these factors by making the informed decision. However, it is a question of National security, patriotism and human rights of data protection and privacy.