How can I minimize my risk as we move our data to the cloud?
Hey, Tech Innovator, I’m a CIO for company that supplies electronic parts to a large defense contractor. While I understand that cloud computing has significant advantages for us, I am concerned about the security of the data of my users and customers when we move to the cloud. How can I minimize my risk? ~ Tom O
Tom, as with every new technology, new change and new improvement, CIOs are faced with more complexity and more challenges that you have to deal with. This Tech Innovator has done a lot of work with CIOs looking to minimize their risks – not just in moving data to the cloud, but in mobile applications as well. There are some best practices that can help you.
With emerging technologies like mobile and cloud, the biggest issue that everyone is concerned about is security. This is because several high profile companies have been victims of data breaches and getting their web sites hacked. Even mobile apps are possibly unsafe, as there have been reported cases of people getting their iphone contacts stolen.
So data and security is a challenge. What’s the best way to overcome it?
Having a strong process and framework around risk management, governance process and compliance requirements is cery critical in transitioning to the cloud.
As a mobile, web and cloud development provider, I am going to tell you more about strong encryption and data protection provisions.
But you should also consider various other factors below to minimize your risks given the fact that someone else now managing your data.
– What are the SLA: How is the data stored? How does the vendor protect your data? What happens if there is a breach? etc.
– You should also evaluate your options for Audit.
– Who has access to data and what identitiy management process are in place to verify the identity.
– What are the security standards used by the cloud vendor and do they comply with your compliance requirements?
– Data Portability – As the data is now resides in the cloud – how do you move data in and out of the cloud?
– Back and retention policies – What are the back-up policies? Are the back-ups secured as well? What happens to the data when it is deleted from the cloud? Is it deleted securly?
Let me focus on the data encryption as we work with it all the time.
My company, motifworks, works with a company that is the leader in data encryption, Safenet. A project we are currently working on with Safenet is all about applying solutions for data encryption to the cloud, specific to file-sharing services.
As CIO, you need to make sure that those who are developing for you on the cloud do not neglect security. By encrypting the data, they can protect it. Even if you get hacked, no one will be able to make sense of the data because it will be encrypted.
The problem with storing data in the cloud is, you don’t know where your data is residing. Shared data can be accessible to anyone. This is important in the cloud because you are not in control of where you data resides. A rogue employee or hacker can cause a lot of problems.
Most of the cloud providers do encryption at infrastructure/storage level. But this may not be sufficient based on your application and nature of the data.
Our solution? Encrypt the data whenever possible. You should be encrypting the data for both “data in transit” and “data at rest”. Encrypting the sensitive data (like username, passwords, account numbers etc.) at application level will provide additional-level of security in cloud as it is now.
In addition to the encryption, as the proliferation of cloud services and mobile devices continues, strong authentication mechanism is a critical component of your security framework. I earlier wrote a blog-post about QR codes based authentication.
As part our mobile development and web application development – we use host-proof authentication wherever possible.
Host-proof authentication is application that allows you to log-in with your user name and password, but which doesn’t store your password. In other words, security can’t be compromised by the host because the solution is host-proof. Only you have access to your password, which minimizes the risk that it will be stolen.
Keep in mind, this Tech Innovator is not a security expert nor an expert in hacking. I am an expert in anticipating problems and setting up solutions in the right way to prevent a security breach.
Designing host-proof applications and encrypted data for the cloud is a good start. That way, even if hackers get access to your passwords, they can never be able to convert them and log in using your credentials, because the data is encrypted.
Check back soon for my thoughts on protecting mobile applications.
Motifworks (www.oldwebsite.motifworks.com) is a partner in emerging technology and innovation for business problem-solvers. Companies as large as Microsoft and Sears and as small as one-person start-ups rely on motifworks for lower cost, better delivery and more innovative thinking. For a partner in emerging technology and innovation, contact motifworks at firstname.lastname@example.org.