Too many Australian enterprises are rushing into the Cloud without asking the right security questions, according to Pierre Tagle of information security and risk management consulting firm Sense of Security.
Speaking at AusCERT, Tagle told delegates that while Cloud services offer a number of benefits such as reduced costs, faster deployment time and increased efficiency, there were areas that needed clarification, such as proper data segregation, before signing a Cloud contract.
In-depth: Legal issues in the Cloud.
Tagle put forward four questions covering level of service and security control to ask Cloud service providers:
What are the implications on information ownership and usage rights?
“Data location has become an issue and in Europe there have been moves to define certain Cloud services to stay within Europe,” he said. “Australian enterprises doing business in Europe will need to check how this could affect them.”
What types of technical and non-technical controls are available to ensure data integrity and availability?
“This will depend on the Cloud model that is adapted because with software as a service [SaaS] a lot of the control is with the service provider,” Tagle said.
What are the exit procedures and related costs?
“There needs to a defined exit strategy because one of the challenges of the Cloud is the more you use Cloud application programming interfaces [APIs] or custom options from the service provider the more difficult it is to remove your data,” he said.
Is there a formal plan to handle a data security breach?
“This is something we need to be concerned about, especially if you don’t know where the data is,” Tagle said. “If the data is located somewhere in the US or Europe, how will you handle that breach?”
Hamish Barwick travelled to AusCERT 2012 as a guest of AusCERT
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU