INFOTECH: Cloud Computing Can Be Turbulent for Organisations
Recent Gauteng Business News
Tepper says that a cloud solution is hosted by a third party who ultimately has access to the data stored within the third parties physical infrastructure. “When contemplating a cloud migration or establishment, the challenge facing any organisation is data ownership and data security. No matter where an organisation decides on storing the data they are ultimately responsible for the protection and processing thereof.”
Legislation in South Africa is changing and once the Protection of Personal Information Bill (PPI) is enacted organisations could be held liable for not adequately protecting personal data. “This may be daunting and deter companies from implementing a cloud strategy. However, Europe and America have been subjected to similar regulatory requirements and have found value in storing and hosting data within the cloud environment. South Africa need not be any different but organisations must proceed with caution.”
Some of the inherent risks associated with Cloud Computing, Data Security and Privacy are:
1. Data Ownership and Responsibility
Organisations that have previously owned and managed their own data centres have always had full control of the processing and storage of their data. By deploying applications, systems or data in to the cloud, organisations lose physical control of the infrastructure hosting the data. These organisations are however still responsible for the protection of data now stored and processed in the cloud and must therefore make all necessary logical provisions to secure the data. Before organisations migrate to a cloud platform it is imperative that they define and implement (if not already done so) a risk management framework and use it to assess and address cloud specific concerns.
2. Regulatory Compliance
Local legislation may soon require organisations to protect data and information in accordance with the law. Generally, when hosting data in the cloud, organisations are unaware of where the data is physically stored. This introduces uncertainty around data privacy, laws in foreign countries, as well as local requirements. Once the Protection of Personal Information Bill is enacted, organisations must ensure that the country where their data is stored have substantially similar data privacy laws or provisions governing the cloud service providers. This requires a form of transparency from the cloud service provider in assuring the organisation that local security requirements are met and also foreign legal requirements. Cloud hosting service providers are often hesitant to disclose information around their security policies and controls as well as location of physical data centres. Regulators locally and in foreign countries may under certain circumstances require cloud service providers to decrypt data for inspection and/or it may be seized including the physical equipment if required. Being a platform of multi-tenancy, organisations must be aware of this and plan accordingly.
3. Infrastructure and Application Security
Hosting in the cloud means that organisations will be storing and processing their data on infrastructure that is not under their own control. It also means that the cloud service providers may use the same infrastructure to host data, system or applications for other, even competing organisations. This is called multi-tenancy. Ensuring that the cloud service provider adequately secures the infrastructure is complicated especially when the inner workings of the cloud is not revealed. With some transparency from the cloud service provider and security assessments, many of the risks can be mitigated in one way or another. Proper due-diligence and assessment of the various risks and controls implemented must be assessed on a regular basis. It must be contractually clear as to what the cloud service provider’s responsibilities are in this area as well as the rights of the customer with regards to assessments and access to information. Incorrect configurations or poorly secured components on your system/application, the infrastructure of the cloud service provider or your “neighbours” components may introduce vulnerabilities into the environment which could lead to the entire system being compromised.
4. Business Continuity
Ensuring Business Continuity is an expensive exercise especially when duplicate infrastructure is required which is generally not being utilised unless disaster has struck. Using the cloud as a disaster recovery site is a viable option and organisations need to consider this. Cloud computing can provide organisations with the necessary infrastructure to restore their data to and also allocate additional resources that could minimise the performance impact experienced by end-users. Organisations must however identify a cloud service provider beforehand and identify the requirements for a disaster recovery scenario. These requirements (including performance expectations) must be discussed and contracted with the cloud service provider to ensure that the requirements can be met and maintained in a fast paced changing environment. In addition to this it is highly recommended that a disaster recovery simulation is done at least once a year. The last thing any organisation needs is to realise that there are software compatibility issues during a restore of the systems and data.
Cloud computing presents an inexpensive business continuity offering in that organisation only pay for the resources they use. They can run their active information systems locally and replicate to systems in the cloud without paying expensive infrastructure costs they otherwise would. It is still imperative that the organisation ensures that relevant controls are in place to ensure business continuity and that testing is performed on a regular basis.
Tepper concludes that the service offering from cloud service providers can be beneficial to large, medium and small companies since infrastructure is shared, but cautions against a migration without proper due-diligence. Reminding organisations that it is important to understand that even though they may outsource technical aspects and obligations, they are still responsible and obligated to ensure privacy in the cloud.
Business News Sector Tags: Infotech|