Page 139 - Cloud Essentials
P. 139

Cloud Data Storage   One cloud benefit is the ability of authorized persons

               to  access  centrally  stored  data  from  anywhere  to  facilitate  collaboration.
               But do you trust your provider to keep your data secure? Encrypting data at
               rest (stored data versus transmitted data) is an effective means of keeping
               data private, but because of legal or compliance rules, your data may need
               to be stored on premises or at a cloud provider within national boundaries.
               For example, a Canadian company might be required to have their business-
               related data stored in a data center on Canadian soil under the control of

               Canadian citizens.
                  Controlling user access to cloud data differs from controlling user access
               to  on-premises  data.  User  identities,  or  some  form  of  authenticated  user
               tokens, must be accessible in the cloud to grant access to cloud resources.
               Possible solutions include replicating on-premises user account information
               to the cloud or implementing identity federation. Identify federation takes an

               on-premises authenticated user and represents them as a “security token” to
               cloud services. The cloud service is configured to trust the on-premises user
               account provider.


               Residual Risks
                 Assessing and managing risk is a critical component to a successful cloud

               adoption. There will always be some type of risk, although reduced, even
               after performing a risk assessment and applying the best solution. Residual
               risk might result from a technological implementation, but since technology
               serves business needs, residual risks tend to be more business based.
                  Most  cloud  providers  have  rather  extensive  security  policies  and

               regularly  undergo  third-party  security  audits.  When  considering  cloud
               service  providers  or  comparing  them  to  in-house  approaches,  you  should
               contrast  these  policies  and  procedures  with  those  currently  in  place.  The
               highest-ranking cloud providers in the industry have published policies and
               measures  that  far  exceed  industry  best  practices.  Any  residual  risks  and
               measures will have to be addressed by the customer. These residual risks
               are likely to include the following:


                      The risk that the cloud service provider goes out of business or its

                     service offering deteriorates in quality beyond the acceptable. For
                     these situations, you need an exit plan that describes how data,
                     software, and other digital assets can be moved to a different provider.
                      The risk of government action—especially when the provider is

                     outside your jurisdiction—which may require disclosure of
                     information or denial of service. For example, hardware might be


                                                          139
   134   135   136   137   138   139   140   141   142   143   144