Cloud computing brings a myriad of benefits for any enterprise, but it is also a cause for concern in a world where, according to InformationWeek, cyber criminals are now targeting "any company where they can find data to resell, disrupt or exploit."
Moving your company's sensitive data into the hands of third party cloud providers expands and complicates the risk landscape in which you operate every day.
In order to understand what concerns should be given emphasis in your cloud security strategy, you need to understand what you can't afford to lose and what can protect you.
Understanding what you can't afford to lose
Data breaches, according to the Cloud Security Alliance, are the top cloud computing security threat for 2013 and beyond. Sensitive data can be of enormous value to a hacker, so you need to consider what sensitive data you are storing in the cloud.
This might be anything a criminal can use to determine or steal someone's identity, such as personally identifiable information (PII) like full names, addresses, birth dates, some IP addresses, and online logins and passwords; and financial information such as bank account numbers and PINs. Furthermore, you should consider any confidential corporate information you might share in the cloud.
Essentially, ask yourself "What do I have that others might want?" and "What do I have that I can't afford to lose?" Data privacy regulations often demand public breach notifications in the event of a malicious data breach or inadvertent data loss – particularly if the information is in the clear. If your security strategy fails to protect sensitive data, your enterprise could face severe consequences in terms of business and reputation loss as the result of disclosure.
Understand what can protect you if you do lose your data
Businesses migrating to the cloud should lock down any sensitive data before it leaves the premises. As the Snowden leaks indicate, third party cloud surveillance is ubiquitous, so the more open your data and access policies are for harvesting, the greater the risks to your cloud security strategy.
Deploy an encryption scheme that provides limited, controlled, enterprise-exclusive encryption key access. When you retain exclusive control of your encryption keys, you eliminate that concern of a data breach regardless of where your data resides or how many copies of it exist.
In many jurisdictions, a breach of strongly encrypted data to which the enterprise holds the key does not require public notification.
Even the systems you and your CSPs may have in place to prevent accidental erasure of your data can pose dangers to your enterprise's data privacy.
While backups, redundancy and other failover strategies protect against data loss due to deletion or system failures, they also create extra opportunities for the theft of this data that you consider important.
Keep in mind that, if you terminate your services with a particular CSP, you can never be certain the data has been digitally destroyed.
Moving to the cloud need not be complicated. An important element is for businesses to decide what data to put in the cloud – and then to encrypt it and retain the keys.