The public cloud offers a wide range of benefits to those organisations who use it. With reduced capital expenditure on hardware and in-house IT infrastructure, together with services such as SaaS, PaaS and IaaS, it offers unparalleled flexibility, improved ROI and enables IT teams to focus on more business-critical projects.
However, from a security perspective, there are some concerns which users will need to address. As the public cloud is hosted on shared architecture accessed over the internet, it means the processing and storage of an organisation’s data are done on hardware shared by other cloud users. For some companies, especially those that store and process personal and sensitive information, this could pose a security problem. In this post, we’ll provide seven tips for managing your public cloud security to ensure that it is as watertight as possible.
1. Make sure your vendor is compliant
Reputable public cloud vendors should be compliant with all relevant security standards in order to safeguard the data and systems of their customers. At WHUK, for example, compliance is central to our hosting services and enables us to offer customers that handle credit and debit card transactions free PCI DSS compliant hosting with all our cloud packages.
However, you should not take compliance for granted. Some hosting companies, such as cloud resellers, may provide compliance through a third-party vendor. In this sense, they are not the company that actually manages compliance on your behalf. Whilst this does not necessarily mean they are complacent (they may have used a third-party provider who can offer a better service than they can), you should check carefully to make sure compliance standards are met and taken seriously.
2. Audit your vendor’s services
Before opting for a cloud vendor, you need to ensure it has the infrastructure in place to keep your data and systems secure. You should check the technology it employs and the processes it uses to manage and maintain its services. You should also check the countries in which its data centres are located. If your data is stored in a country, such as the USA, where the government has the right to access it for national security purposes, it may not meet EU or UK compliance standards.
3. Have clearly defined business-vendor roles
Without clearly defined roles, confusion over areas of responsibility can lead to dangerous gaps in your security needs. At the same time, complications can arise when both you and the vendor are trying to manage the same process simultaneously.
To avoid this, it needs to be made clear, at the outset, exactly what the vendor is responsible for and what you are responsible for. This way, both the organisation and the cloud host can provide seamless management of all your security requirements.
4. Follow internal data protection best practices
When using internet accessed, public cloud services, it is vital that an organisation follows best practices in data protection. This will affect the way in which employees work and the technology you use to ensure your company is secure. For example, you should use SSL encrypted internet connections and email, have a strong password policy and incorporate data access control so that only those who need data can have access to it.
5. Implement a public cloud security policy
Creating a public cloud security policy is a key way to ensure that security is well managed within your organisation. It enables you to know what security measures you have put in place and how the processes are to be implemented. This should also cover what happens should a security breach occur. All employees who have access to your IT services should be aware of the policy and receive relevant training. Ideally, the policy should be shared with your hosting provider, too.
6. Secure premises and physical devices
Many of the devices used to access your cloud network will be permanently housed at your premises. To keep your data secure, it is important to make sure that they are not stolen by burglars or opportunistic thieves. For this reason, you need to consider ways of ensuring that building access is secure and devices are stored safely.
One of the benefits of the public cloud is that your employees can access your data remotely. This, however, throws up another security issue: how to protect devices taken offsite. It’s a big concern, in 2012, 12,000 laptops were left at US airports every day. The amount of technology lost or stolen is staggering. If someone gets access to such devices then the possibility of a data breach is substantial. Their security is something which needs to be properly managed.
7. Develop a vendor exit strategy
If you find your organisation is using a hosting provider that cannot provide the security you need, it is essential that you are able to move to a better host. However, that is easier said than done. Vendor lock-in is a common problem for many businesses who are reliant on the technology of their host. To avoid this, you need to have a plan in place so that, if need be, you can migrate your data to a different infrastructure quickly without it affecting your business operations.
Public cloud hosting does offer substantial benefits to its users and can be highly secure. However, from reading this post, you will have a better understanding of the security concerns it raises and what you need to do to ensure that your data is protected and meets compliance standards.
If you are looking for highly secure, public cloud hosting with PCI DSS compliance, check out our range of cloud hosting packages.