Trusting the Cloud

Today I met with a number of start-ups within the DIT hothouse. It’s always a pleasure to meet people that are so passionate about their businesses and I try and help these guys as best I can. One topic that came up, one which comes up from time to time, was that of security. Granted, it is normally an enterprise customer that worries about security and not so much start-ups, but it was a fair question. Now security is a complex area, it needs to be considered in layers, for example, a web application with no cross site scripting or sql injection protection will expose a business to attack, and this is nothing to do with the underlying infrastructure. But it is important that if a web service is attacked and compromised that the underlying infrastructure does not allow other customers systems to be compromised, so this is down to the infrastructure provider.  With all of this in mind it makes sense for a cloud solution provider to have an excellent story on security and privacy, it is important that you trust your provider. Here are some of the things you should consider when deciding to trust your cloud provider:

  • Does the provider have a public statement on privacy and security which is continuously updated.
  • Are you happy that the provider has the right operational procedures in place to ensure privacy and security. They may not be able to share full details but they should comply with some industry standards. For example the Cloud Control Matrix (CCM) from The Cloud Security Alliance, ISO/IEC, SSAE 16 / ISAE 3402, HIPAA.
  • Does the cloud provider regularly test their security using penetration testing.
  • Does the cloud provider provide detailed documentation on how to build/deploy to their infrastructure in a secure way. This is vital so that you don’t reduce the level of security for your application by deploying or building it in a certain way.
  • Can you dictate to the cloud provider where your data will be stored. Also make sure you know where data will be if copied for redundancy or high availability requirements.
  • Is the provider Safe Harbour/EU data protection directive certified.

With regard to Azure, Microsoft have an entire website dedicated to providing all of this information.