Securing Cloud Services – Part 1

The Cloud…everybody’s doing it

It’s news we read about every day. Someone setup a cloud server incorrectly and now they’ve exposed confidential information publicly. No password. Easy access. And once the cat is out of the bag…

What are cloud services?

Cloud service is the current term for hosted [fill in the blank]. It could be a web server at a service provider’s site, it could be an application. The acronyms abound. SaaS, PaaS, IaaS are a few. Here’s a whole list if you’re wanting to dig more.

Where is the cloud?

‘Out there’ comes the witty reply. It means not hosted at your site or your location. Somebody else is doing the care and feeding of the systems, handling the data, backing it up (hopefully!) and making sure it’s available for you. And they keep it secure right? We’ll talk about that more.

Keeping the cloud secure

How do you know they are keeping your data secure? This is a great question and I hope everyone looking to use a cloud provider considers this with scrutiny. Data on the internet is moving at a frenetic pace from one place to another. Have you ever watched a shopping spree that’s timed? The cart fills up, people are taking rapid turns between aisles, things are flying out of the cart as the person races back to the start before running out of time. We can be like that with rapid turn up, quick offer turnarounds, fastest to market, etc. These can be good things, but there’s also a time for evaluation of the risks.

Data centers

I’m going to tell you something interesting about hosted services. A lot of times your service provider doesn’t have your data. “What?” I mean they don’t have it on their site either. They’ve contracted with a third party data center that does all the hosting of servers. The local company providing your PC and backup support? They have your data sitting at a place like Rackspace. These third party data centers aren’t a bad design. They actually work very well. But the reasons I mention this is because you need to know where the data is. Your the owner of that data. It’s important to know it is being kept at a secure facility and not in someone’s garage.

Finding the data breadcrumb trail

You have to be upfront with the service provider when you start discussing doing business with them. It can’t be something asked later. By then it’s too late. You’re in a contract. Extricating yourself could be even more costly. Standard reports that can be provided by cloud services are ‘SSAE16’ or ‘SOC’ reports. They are audits that can be very long but inside you’ll find where the data is residing. And if the service provider doesn’t have it, consider doing a mini audit of your own. Ask them questions about their security and how they protect your data. If they don’t want to tell? It’s “secret”? Well…maybe keep shopping. Remember that security by obscurity isn’t a thing, at least not a good thing.

What’s Next

I realized as I started writing this article that there’s more than a single article here to put together. In the next of the series I’ll talk about some of the major players out there.

Leave a Reply

Your email address will not be published. Required fields are marked *