With their small IT departments, there’s good reason why some of the biggest users of cloud services in Canada are small and medium sized businesses.
Yet merely handing over functions or picking up cloud services doesn’t transfer an organization’s security risks. SMBs have to carefully ask providers what they will and won’t do before signing on the dotted line. That’s especially true because security is one of the concerns SMBs have when considering a cloud service, according to IDC Canada.
The European Union Agency for Network and Information Security (ENISA) has just issued a 51-page Cloud Security Guide for SMEs which organizations here will find useful for evaluating network and information security risks.
There are sections that outline not only the network and security advantages, but also the risks — and for each risk there are a series of questions.
For example, the report notes that it is important to understand who is responsible for which software component when using a cloud service. A SaaS provider (Microsoft Office 365 or Salesforce) has all the responsibility for preventing software vulnerabilities. However, the customer is responsible for the software in infrastructure or platform (IaaS/PaaS) services, unless there are special arrangements.
Most important is a list of 12 questions CISOs can ask before choosing a provider:
- How does the cloud provider manage network and information security risks?
- Which security tasks are carried out by the provider, which type of security incidents are mitigated by the provider?
- How does the cloud service sustain natural disasters affecting datacentres or connections?
- How does the provider ensure that personnel works securely?
- How is the physical and logical access to customer data or processes protected?
- How do you ensure software security?
- How does the provider ensure that personnel works securely?
- How is the physical and logical access to customer data or processes protected?
- How does the provider ensure that personnel works securely?
- How is the physical and logical access to customer data or processes protected?
- How is the physical and logical access to customer data or processes protected?
- Which national legislation is applicable and which foreign jurisdictions are involved, for instance due to the physical location of datacentres or cables?
The report also points out that not all vulnerabilities are in the hands of the provider. Because cloud computing enables mobility, device security is paramount — and that’s in the hands of the CISO. Similarly, it notes that cloud computing doesn’t eliminate the risks of attacks through phishing and other social engineering tactics.
The report is a useful guide that all CISOs should consider