Security for Cloud Outsourcing a CIO and Executive Management Concern
The need to lower cost, increase efficiency and conserve cash has increased the motivation of companies to turn to Cloud Computing and increased the appeal of alternative delivery models. The disruptive shifts in new demand and supply patterns drives changes for how IT services are bought and from whom.
Three main security and privacy issues that need to be covered in any contract with a vendor:
- Adequacy of Policies and Practices. The security and privacy policies and practices of the cloud provider might not be adequate or compatible with those of the organization. This can result in undetected intrusions or violations due to insufficient auditing and monitoring policies by the cloud provider; lack of sufficient data and configuration integrity due to a mismatch between the organization's and the cloud provider's policies for separation of duty (i.e. , clear assignment of roles and responsibilities) or redundancy (i.e. , having sufficient checks and balances to ensure an operation is done consistently and correctly); and loss of privacy due to the cloud provider handling sensitive information less rigorously than the organization's policy dictates.
- Confidentiality and Integrity of Services. Insufficient security controls in the cloud provider's platform could affect negatively the confidentiality and privacy, or integrity of the system. For example, use of an insecure method of remote access could allow intruders to gain unauthorized access, modify, or destroy the organization's information systems and resources; to deliberately introduce security vulnerabilities or malware into the system; or to launch attacks on other systems from the organization's network, perhaps making it liable for damages.
- Availability. Insufficient safeguards in the cloud provider's platform could negatively affect the availability of the system. Besides the applications directly affected, a loss of system availability may cause a conflict for key resources that are required for critical organizational operations. For example, if disruptive processing operations are performed by the cloud provider (e.g. , load re-balancing due to site failure or emergency maintenance) at the same time as peak organizational processing occurs, a denial of service condition could arise. A denial of service attack targeted at the cloud provider could also affect the organization's applications and systems operating in the cloud or at the organization's data center.
The Practical Guided for Cloud Outsourcing Template includes -- Sample Cloud Outsourcing Contract along with a Service Level Agreement and other tools to facilitate the cloud outsourcing process. The template includes Janco's exclusive Business and IT Impact Questionnaire.