SANTA CLARA, CALIF. -- There's a lot that businesses still have to ask their cloud service providers before signing up for service, especially about how secure their cloud environment is, the chief operations officer of the Cloud Security Alliance said at a cloud conference here.
John Howie explained the security risks associated with cloud computing and the ways businesses can protect themselves and their data at the Cloud Leadership Forum held June 13 and 14. Howie warned that some cloud providers actually turn around and have customer workloads managed by yet another cloud provider. He also warned against using free consumer-grade cloud services for enterprise-grade computing.
The Cloud Security Alliance is a nonprofit organization that provides free information to its membership of 15,000 companies and 35,000 individuals on how to choose cloud services--private, public or hybrid--wisely and with a focus on data security in the cloud.
Howie sought to dispel the notion that the IT department or other managers can claim that they don't need to worry about cloud security because they don't use cloud services. Typically, individual employees subscribe to cloud services on their own. He gave the example of a businessman he met who was on the phone and couldn't send an e-mail because the size of the attached file was too large. The man said he would upload it to DropBox, a cloud-based file-sharing service, instead.
"You use DropBox?" Howie asked the man. "Well, not officially," came the reply. "That's what you're finding in your organizations today."
There's another reason to avoid consumer-oriented cloud file-sharing or storing services such as DropBox, Google Drive or Microsoft SkyDrive, he continued. They are free because they're advertising supported and they index the user data to glean information from it on what ads to deliver.
"They are probably indexing your data, not because they want to know what your data is at a human level," Howie explained. "But at the machine level, they want to know what advertisements to send to you to increase the click-through."
It may be harmless enough for consumers to have their data indexed but an enterprise should not take that risk. There are paid file-sharing services that are better designed for enterprise users and their important security needs.
A related issue is how businesses can remain compliant with government and industry regulations for the security and privacy of company data in the cloud. Not only are there varying regulations on the state and federal level in the United States, there are myriad regulations globally and, increasingly, both companies and cloud service providers operate globally. What regulations a company has to comply with depends on where the cloud service provider s data centers are located as well as where the company's data centers are located, Howie said.