Service providers must have and maintain both physical and digital security measures to protect information stored in the cloud, and transferred between your organisation and the cloud. Compliance with best practice security standards should be monitored through independent auditing.
International standards, including ISO/IEC 27001 Information security management, have been agreed for the establishment, maintenance and certification of secure data facilities.
You should be provided with clear information about measures taken to protect the security of data during transmission (i.e. the security keys or level of encryption used) as well as when in static storage (e.g. a minimum of two-factor – username plus password – authentication). Service providers should inform you about the best ways to protect information requiring different levels of security.
When choosing an online backup service, a business has to consider its data and system recovery needs and choose an appropriate service level. All good providers offer data replication services to protect your business data in an off-site location, but additional services many be required to 'mirror' your entire system – including operating systems, applications and user settings – in case your business needs to rebuild servers and databases. Service providers must make adequate back-ups to avoid data loss, including back-up arrangements across different physical locations in case of a natural disaster or regional power failure.
ACCAN recommends that you also back-up your own data using an alternate cloud service, or on an easily accessible external hard disk that you control, to protect against a cloud system failure of any sort.
The frequency of backups depends on the method being used, and what is being backed up. Things that don't change often don't need to be backed up often; once per week should be sufficient. However, something like a file-server or mail-server changes constantly, so the safest course is to back these up hourly.
Backups run depending on the number of 'restore points' you want to create. A reasonable minimum is every 24 hours. Increasing or decreasing the frequency should be driven by the number of transactions your business can afford to lose.
If your business involves online ordering with immediate despatch of products, you may want backups to run more frequently than once per day. On the other hand, if your business processes orders weekly in a 'batch mode', you would most likely be covered by weekly backups completed just prior to the weekly run.
The Australian Signals Directorate, an agency of the Commonwealth Government responsible for data security, has prepared a comprehensive suite of documents – including a guide to Cloud Computing Security Considerations – that you are able to freely access.
The remainder of this section summarises the issues you should consider when assessing a cloud service provider's capacity to:
- maintain data availability and business functionality;
- protect data from unauthorised access by third parties; and
- handle security incidents.
Maintaining Availability and Business Functionality
The Service Level Agreement (SLA) offered by your provider as part of your contract must guarantee adequate system availability and quality of service, backed by an ability to demonstrate that they have robust systems and business processes in place. Availability may be affected by technical issues such as computer and network performance and latency, hardware failures and faulty or poorly configured/maintained software. It may also be affected by deliberate acts such as denial-of-service (DOS) attacks against you or the provider.
ASIO recommends that cloud service providers comply with the industry standard ANSI/TIA 942 Telecommunications Infrastructure Standard for Data Centers. Data centres that comply with this Standard are expected to be available more than 99% of the time.
Protecting Data from Unauthorised Access
When you commit your valuable business information to a remote service that you don't have direct control over, it is critical that your cloud service provider have a demonstrable commitment to data protection. As well as preservation measures like regular backups, the provider must be able to show that your data is as safe as possible from digital or physical intrusion by outsiders, fellow cloud customers and rogue employees.
You need to be confident that your cloud service provider has appropriate controls in place, including –
- Timely application of security patches
- Regularly updated antivirus software
- Protection against unknown vulnerabilities
- Hardened operating systems and software applications configured with the strongest possible security settings
- Intrusion detection and prevention systems
The actual data centre used by the provider to house their IT equipment must also be secure enough to prevent tampering with or theft of devices or the data stored on them. Depending on how important or sensitive your data is, you may want to consider using data centres accredited by ASIO's Protective Security Section.
Handling Security Incidents
The cloud service provider you choose must be easy to contact (e.g. by telephone and email) with requests for support, and able to respond to security incidents promptly. Similarly, your provider must establish a means of securely contacting you (or your delegate) about any incidents that may affect your data.
The maximum acceptable response time should be included in your SLA with the provider.
The cloud service provider should be able to provide you with an incident response plan that specifies how they detect and respond to security problems, as well as provide you with access to logs that record all transactions relating to your data.
In addition, providers should be able to demonstrate that all relevant members of their staff are appropriately skilled and certified to operate their systems in a secure manner, identify potential threats, and deal with security incidents.