The interest surrounding cloud computing is at a fevered pitch. Many hail the cloud as an easier and much more cost effective way to deliver IT services. But some enterprises are gun shy. Why? A 2008 IDC survey of IT professionals uncovered the biggest reason: security.¹

If you’re thinking about adopting cloud services, be sure to fully understand the security implications. Here are five security risks you must consider, along with practical advice on how to address them.

Watch excerpts of enterprise security conversation among McAfee, HP and Qualcomm. Qualcomm CIO discusses his move to an integrated enterprise security solution.

When you utilize the cloud, it’s critical that you know where your data is, how it’s protected, and who can access it. Unfortunately, many cloud service providers don’t share these details. Even worse, many make no promises about protecting your data.

If a multivendor approach to enterprise IT security makes a single point of accountability difficult, the cloud is even riskier. Choose the wrong service provider, and you’ll have no point of accountability at all.

Before you can assess what kind of security a cloud service provider offers, understand the biggest risks.

Data protection and privacy management

Many cloud service providers offer no service level agreements (SLAs). That means you have no guarantees about data availability, privacy or data protection.

Governance, risk, and compliance

Trusting your data to a cloud service provider doesn’t mean you’re off the hook for ensuring its protection. The cloud raises risks that some service providers may not address. For example, a cloud service provider’s logging and record retention schemes may not meet your regulatory obligations. If your cloud service provider is not logging complete or accurate data, you could fail a security audit.

Identity management

Once your data is inside your service provider’s firewall, who can access it and under what circumstances? How quickly can your service provider grant access? More importantly, how fast can it remove administrative and user access? Your own data authorization policies may be exceptionally strict. But your service provider’s policies may be beyond your control.

Infrastructure security

Applications and data entrusted to a cloud provider are on servers and storage that you didn’t choose or personally maintain. Most vendors don’t give you visibility beyond your virtual resources. So how do you know how secure the physical hardware really is? How do you know your application is running on a perfectly patched operating system and not one riddled with holes?

Readiness

Arbitrarily introducing an application to the cloud isn’t a smart way to assess its readiness. Yet few service providers offer the kind of assessment necessary to determine if an application makes sense for the cloud.

Cloud computing doesn’t have to be rife with risk. With the right service provider, the cloud can fulfill its promise of more affordable, flexible and easier-to-manage IT services. However, a lot depends on your preparation and choice of service providers.

Classify

When considering a cloud service, first classify your data to determine its suitability for the cloud. Doing a cost benefit analysis is an important part of this process. Are the savings of putting data in the cloud worth the risks of breaches in security or privacy regulations?

Assess

Find a service provider that does security assessments to determine whether your application or data is ready for the cloud. The best service providers will determine which compliance regulations you’re subject to and help you meet them.

Start with nonsensitive data

Don’t begin your foray into the cloud with applications that expose your customers’ credit card numbers and bank account information. Start with the less risky applications until you can securely manage the model and your provider’s services.

Critically evaluate service provider agreements

Find out exactly how your service provider plans to secure your data and keep it private in the cloud. If your data is critical to the business, demand satisfactory assurances from your provider. These include appropriate terms of service (TOS), acceptable use policies (AUP) and service level agreements (SLAs).

Encryption

Don’t leave encryption to your cloud service provider. Make sure you have key lifecycle management in place. Also, using your data classification effort as guidance, encrypt your data as appropriate and necessary.

Insist on transparency

Demand the ability to know what’s happening in the physical infrastructure that underlies the virtual infrastructure.

HP offers cloud services that address every one of these risks. They offer the peace of mind that your data is as protected and available as if it were in your own data center. Learn more about how HP’s Cloud Assure service enables security and performance in the cloud.

	Your feedback is important to us. Was this article useful/informative?
	Not at all(1)		Neutral(3)		Definitely(5)