Post-cloud assessment necessary, but lacking

Services and data security measures should be consistently monitored after businesses adopt cloud computing but firms fail to do so, says industry watcher.

SINGAPORE-- More organizations are relying on external vendors as they adopt cloud computing services, but they neglect to conduct periodic audits of the services procured and, in turn the security of their data, after deployment.

Steve Durbin, global vice president of the Information Security Forum (ISF), a non-profit group which does research on information security issues, shared this observation and urged both public and private sector organizations to better manage their relationships with third-party vendors and the data they entrust them with.

"Adoption of a service like cloud doesn't stop there. Businesses forget to make various efforts to monitor, access and audit the benefits the deployment is supposed to give them," he elaborated. The executive was a keynote speaker at the Information Security Seminar held here on Wednesday.

He added that the auditing process also ensures that the security of the data managed by external vendors is constantly accounted for.

However, the outsourcing of IT functions to cloud service providers "does not remove their legal requirements and statutory obligations", warned Durbin. A company can still be liable even if it was not responsible for any information loss or disclosure. This is why companies need to know "who are they doing business with", he stressed.

Currently, there isn't much effort made by companies to find out more about the backgrounds and track record of their cloud service providers, he noted.

The problem is compounded when companies do not come up with an "agreed list of security controls" in the contract, which should carry the terms and conditions of data use and storage not only during the contractual period, but also after the deal has ended, Durbin said.

He cited the example of a company that relinquished ownership of its customer data when its service provider of 15 years had no contractual obligation to return the former's data after the partnership ended.

Thus, firms must "take into account what will happen upon termination of the contract", Durbin said, adding that this is similar in concept to a pre-nuptial marriage agreement.

Security challenges in the cloud
Besides tracking and assessing cloud deployments, fellow keynote speaker Richard Sheng highlighted that security measures need to evolve in order to keep up with changes in the enterprise IT environment.

The regional director, product marketing and business development at Trend Micro, said that in moving data from its internal on-premise datacenter to external virtual servers, companies will face an increased risk of data security breaches as the cloud provider will now have more control over it.

"This is why data security and protection is the top cloud challenge [for businesses looking to go cloud]," Sheng said.

To address this challenge, the executive recommend companies to implement data encryption in the cloud and adopt an "agent-less approach" which will provide consistent security across all virtual machines (VM).