Is Cloud Security in the Clouds?

Wednesday, May 09, 2012

Jayson Wylie

54a9b7b662bfb0f0445d1661d7ed180b

The strategy of cloud computing is to augment computing service needs with a compliment of external vendors to relieve or unload some of the internal IT functions or resources at possible cost savings for  the customer.   

Before jumping onto a cloud, you might want to get the legal team or hire a lawyer to help parse through the Service Level Agreements (SLA) and other contracts that binds the vendor to a responsibility for the company or individual’s interests, assets and IT functions to better understand where the buck will stop so as not to fall through in a security worst case scenario.

I have been looking for what I consider as the proper wording for the contractual language that basically says, as for the cloud provider, “Yes, we build and maintain the system as well as take up full responsibility for the security of your business interest”.

That could be worded a million different ways in legalese but there is more likely verbiage about up time and setting the expectations of the quality of services provided versus an offer to shoulder the burden of security.

Shoot right to the disclaimers and the fine print that absolves the basic model of the confidentiality, integrity and availability of data and services of the provider.

Consider what I imagine as the largest service by volume to be sourced from the cloud and that is email service and data storage.  Both can offer a lot of exposure to customers when used as a platform for sensitive business data or even if offered as Infrastructure for a Service (IaaS). 

The threats can come from the lack of designed and implemented security by the provider. This may be intentional or not but the lack of oversight or negligence in this area can potentially cause disputes over the difference of control versus accountability.   

There may be different agreements between private and business customers or differences between that which is public and privately agreed upon but make sure the view from the Cloud is not a hazy one before a leap. 

Possibly Related Articles:
5422
Cloud Security
Service Provider
Cloud Security Enterprise Security Cloud Computing Managed Services Confidentiality IAAS Data Center Liability Service Level Agreement
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.