Security advice from inside the cloud
Kate Craig-Wood offers an inside perspective on how to keep cloud data safe
If you're managing data not on your own systems, it comes down to trust. Just as if it were hosted on a computer in your office, you need to trust everyone who has access to that machine. If you are outsourcing to the cloud you need to trust the organisation that has access to the underlying infrastructure.
I believe that users should look for companies that have appropriate certifications such as ISO27001 (as a minimum), and ask them how they regulate and monitor their systems administrator access to servers holding client data. The most likely source of attack is always from within an organisation.
You also need to ensure the data is well backed up. This is by no means a given. Ask the vendor how many redundant copies of the data are available, and what their restore times are. You should also ask questions about uptime and availability guarantees, and whether the data may need to be stored within UK borders if a British company (for data-protection purposes).
Who controls the data? One risk with SaaS is that all your eggs are effectively in one basket, and if something goes wrong with that one provider you could face serious challenges.
I believe the best approach may be to disintegrate the stack, enabling you to move your software from one place to another. A typical example of this is using third-party open-source apps to deliver hosted software services on their infrastructure. That way, if the software provider fails you can still get to the data, and if the hosting company fails (assuming you have good backups) the software company can help you transfer to a new host.
Many SaaS providers are essentially running one application for thousands of client organisations, with their data commingling on the same infrastructure and in the same databases separated only by the software itself.
This presents a potential security risk: if there is a flaw in the provider's code it could be exploited to allow access to other customers' data. For some services this may not be a problem, but for critical company or personal data it may be advisable to obtain additional segregation.
The stack disintegration approach can also solve this problem. Open-source apps hosted on virtual or dedicated servers dedicated to just one client offer additional layers of segregation between the software instances, thus providing greater security. While many SaaS offering code bases are not heavily tested, network and virtual machine segregation is robust.
You also need to think about data portability – the ability to be able to reuse your data across interoperable applications.
When weighing up SaaS suppliers, see if they have a portability policy. Where a privacy policy discloses what a company can do with your data, a portability policy discloses how a user can access and transfer their own data once it is stored with that company. For IaaS providers, this is normally a given, because they are just providing the infrastructure and you are able to extract the data as and when you wish to at a root level.
Once you're clear who has your data, where that data is held, what they are doing with it and how they are protecting it, you need to establish what procedures are in place to allow you to migrate your data elsewhere.
Look for:
• a clearly defined and established procedure for data migration;
• low- or no- cost migration; and
• data extraction being possible in a meaningful, useful form for immediate reuse.
For SaaS providers, look for an API or tools that can download your data in a meaningful context. This could be as simple as a widget to download a CSV file (as with Google Contacts), or it might be a fully-fledged XML API. Failing that, and if taking the stack disintegration approach, ensure that the database in which the information is stored is transparent and well-documented.
It is frequently not in a SaaS provider's interest to make data portability easy though, so this can be a difficult item to tick off.
As in any service provider contract, you should negotiate clear SLAs for a cloud provider. These should include, but not be limited to, clear metrics around performance (both networking and computing), provisioning, change management, patching and vulnerability remediation.
To ensure your customers' data is safe in the cloud at all times, always know:
• who has your data;
• where that data is held;
• what is being done with it; and
• how it is being protected.
The rest should be covered by basic security practices, much like those used in a non-cloud environment.
Kate Craig-Wood is chief executive officer and founder of Memset