Security is one of the top concerns for organisations when considering a move to cloud computing, according to research from market analyst Quocirca. Our advice for these businesses is to write down their top five or ten concerns and share them with their IT department. Then ask IT how many of the areas are covered by the organisation's own datacentre - the results could be sobering.
Cloud providers know that they are more attractive targets for attack than the majority of single-user data centres. Therefore, they have to take extra steps to ensure that they are truly secure - and most have the means to do so. By averaging the cost of security over a large number of customers, a good cloud provider can afford to spend more on safeguarding its data than the vast majority of private datacentres.
Where should cloud providers start? Begin by employing people who truly understand security must be comprehensive. A plan must cover not just securing computer systems, but full security that includes the people, the building itself, visitors to the facility, and change management. Cloud providers should have dedicated teams - in Microsoft's case, the Azure Trust Center - that plan and implement broad-scale security policies which are then monitored by the team reacting to security incidents, such as denial-of-service attacks.
Staff should all be background-checked as well - the last thing a secure data centre needs is a black hat inside. Even after background checks, behaviour needs to be monitored to recognise patterns that could indicate employees are not obeying all the security protocols.
Privileged users must be fully monitored. They must never share username and password details, and strictly adhere to two-factor authentication. Most users should not have access to customer data either - just to the systems that users works on. Any external engineer coming onto the site must be provided with a work ticket that states the exact job they do, and where they can go - and they must be accompanied at all times.
The odds are that even the most careful cloud provider will experience the occasional security breach. However, if they have all the right safeguarding policies and procedures in place, the damage should be minimal, or non-existent. Because cloud providers know they are at risk of attack, theytend to be better prepared for breaches than an individual company's private datacentre. Thus, businesses should feel confident that their data is safe if they do choose to go with a cloud service.