Cloud adoption has been growing over the last couple of years, primarily driven by cost reduction and speed of adoption. However, according to a survey performed by KPMG, the top barriers to cloud adoption remain related to security and compliance. Data security is projected to remain the most important SLA parameter in 3 years. Fundamentally, data and network security are about three control objectives, i.e., confidentiality, integrity, and availability.
Know Where Your Data Lives
Knowing where your data is physically, goes a long way in establishing your cloud security and risk assessment. The data center location is also critical in evaluating latency impacts on the application you are communicating with. Some cloud providers could have data centers in international locations, which may be subject to laws and policies of that jurisdiction. International data centers often suffer a reduced latency that may pose a risk for your business applications on the cloud.
Have a Disaster Recovery and Business Continuity Plan
In 2009, a lightning strike triggered an Amazon EC2 outage, and the cloud services were offline for about 4 hours as an aftermath. Data backup and availability are critical and one of the main challenges facing the service providers. Take a long-term view of your hosting services and make sure that you backup your data at appropriate times to ensure that the customer data is not lost. Understand the risks associated with data availability and disaster recovery issues that may impact your business. Big companies have lost their data due to improper backup procedures, and it is one of the growing concerns for moving your services to the cloud.
Understand How Your Data is Protected
Understand and solicit clear information around how your cloud server hosting provider protects your data with encryption and firewall security, especially if you need HIPAA compliant hosting. Encryption is a must-have on public cloud SaaS solutions, and the need to be secure and encrypted. Cloud computing resources should be sheltered with a mandatory inbound firewall. Devise plans for how you are going to monitoring network attacks or hostile system activity even if you are on the cloud. You will only be able to understand the sufficiency of your security if your cloud provider is willing to disclose its security practices. Some providers treat the security practices as confidential, which can become more challenging.
Third-Party Audits: Service Organization Control Reports
Curious if your provider is serious about security? Research to see if they have been audited by third parties to build trust and confidence. In February 2013, Cloud Security Alliance (CSA) released their position paper stating the purpose of SOC 1 and SOC 2 reports for cloud service providers appropriating SOC 2 as the de facto standard for cloud security. SOC 2 audits conducted by AT 101 cover controls relevant to security, availability, processing integrity, or privacy. In 2013, the number of data centers and CSPs which underwent a SOC 2 attestation increased by 100% YOY from 7% in 2012 to 14% in 2013. Aside from SOC 2, PCI Compliance, HIPAA Compliance, and ISO certifications are important indicators for the dedication your cloud service provider has for security.
Hassan Sultan is a partner at Reckenen, which provides accounting and assurance services to privately held companies. Atlantic.net offers reliable and cost-effective VPS hosting for a wide range of business opportunities.
Atlantic.Net offers HIPAA cloud hosting solutions. Contact us today for a consultation.