Data Security Policy Misalignment
Knowing what your selected cloud provider’s policies are regarding data security is of paramount importance. You want to make sure that their policies closely align with your own. Companies have gotten quite good over the years at defining very exacting data protection specifications. The limiting factor, of course, is that those policies only apply to the data while it’s in-house. Once you move the data to the cloud, you give up autonomy over it. If your chosen provider’s security policies do not closely align with your own, you could be setting yourself up for trouble.
This is an issue that should be clearly spelled out in every contract with every cloud-based relationship you have. What happens to your data once the contract ends? What happens to data, post-processing? How long is it retained? Is it retained at all? If so, what are the security protocols in place to protect it? What kind of verification can you get or expect in order to ensure that the data is actually deleted? Very important, often overlooked questions that matter a great deal.
Lifecycle Data Security
Where cloud-based data are concerned, there are three possible states in which it can exist. At rest, in transit and in use. Most of the time, when people talk about data security, cloud-based or not, they are referring to the security protocols in place to protect data at rest. Those are important, absolutely, but there are new attack vectors that can go after data when it’s in the other two states as well, making them every bit as important. The “Heartbleed” exploit was one recent, real world example of an attack that targeted data while it was in the “in process” state. Again, this isn’t something that most companies think about when selecting their cloud vendor, but it’s an important question to ask, because it speaks directly to the security of your data. If you don’t have a firm answer, then you don’t fully understand or appreciate your risks.
Lack of CSP Security Evaluations
This lies firmly with the companies using cloud-based vendors. The number of firms that actually have some kind of an evaluation system or process to compare various vendors with one another has actually dropped over the past year, with only 44 percent of firms citing such a policy (this, down from 55 percent the year before). The statistic is moving in the wrong direction, clearly. There’s no good way to properly evaluate your choices without such a policy in place. If your company doesn’t have a yardstick by which it measures vendors, then how can you make the best choice? How can you be certain that your chosen provider will meet all your needs?