The "cloud" is a nebulous concept. The "private cloud" is not as clearly defined as the "public cloud," but it is still confusing. Of course, we have a long list of questions regarding the cloud, but it's important to ask questions specifically about how cloud data is stored and kept secure. Resources to secure the cloud are plentiful. Here are some of the most important questions organizations should be asking:
- Where is my data when it's in the cloud?
- Who is accessing the data?
- What physical world laws may impact my data in the virtual cloud environment?
Where Is My Data?
In the "private cloud" (in which the environment is under the organization's total control), this question is fairly easy to answer—the IT department that set up the cloud instance has data maps to track where department A's data is located within a hosted environment. The "public cloud" requires due diligence on your part to ensure the data is located on servers in geographic locales and environments that meet your company's needs and doesn't run afoul of local laws. The physical security of the data need to be protected, For example, Amazon's S3 data storage offering asks subscribers which region they wish to store their data —the United States, European Union, Asia Pacific, or South America. The data is stored and replicated across multiple devices and multiple countries within that region. Digging further, in the Asia Pacific region, for example, the three regional offerings are Singapore, Tokyo, or Sydney. Most, if not all, cloud storage providers will be able to identify to some degree where your data will be stored.
Who Is Accessing My Data?
You can't see your data, so how do you know someone isn't rummaging through your files? There are four separate avenues you should embrace to help protect and control access to your company's stored data: identity and access management policies (IAM), access control lists (ACL), HTTP and IP address controls, and encryption. With these four technologies in place, people who attempt to access your data must have the appropriate permissions, access levels, or cryptographic key, giving you control over who is accessing your data and from where. In short, your data is accessible only by those the company determines has a need to know.
What Physical World Laws May Impact My Data in the Virtual Cloud Environment?
Investing time wisely to contract for cloud services is of the utmost importance. According to a July 2013 report from the University of New South Wales' Cyberspace Law Centre, determining where your data will be hosted is not just a discussion for within the CIO's office. The report also concluded there are no uniform standards regulating data privacy and access to stored data.
In sum, your data can be secured, your environment controlled, and a strong defense put in place. Those organizations that invest the time and energy to understand the available cloud resources will be the best served in understanding the risks they are placing on their data when they move it into the cloud.