This post also appeared in The Tennessean, where Concept Technology has a bi-weekly feature in the Business section.
In last month’s column, we identified some key technology trends that we expect to encounter in 2013. We also mentioned that most of the predictions carry some policy and security concerns that you will have to wade through as a consumer, employer and business.
One such trend that carts some hefty security questions is cloud migration.
This year, companies can expect to see more and more business applications move to the cloud. This means that you’ll likely be striking up at least one new partnership with a SaaS (software-as-a-service) provider in the coming months.
Before you cement a new relationship, here are some things you should look into from a security perspective regarding cloud computing.
Who owns your data? When working with a SaaS provider, you need to be crystal-clear about who owns your data: you.
You also need to understand what mechanisms the cloud provider gives you to extract your organization’s data. For example, the application could have an open API that lets you query your data out.
By knowing who owns your data, if you ever need to terminate your relationship, you’ll have a predefined path to transfer all of your data back within your organization.
Terms of service
With some cloud providers, if you look at their terms of service very carefully you’ll find that it’s possible for them to mine the data that you have on their systems for their own purposes. This could mean targeted ads, generating statistical data or any of a number of things that the provider doesn’t have to tell you about in detail.
For businesses that have to maintain compliance with various privacy standards, this can be a big issue. Your organization’s information security officer needs to read the terms of service very carefully. If you have to deal with legal compliance standards, have your attorney read them, too.
The bottom line: Know what you’re getting into before you start moving data into the provider’s system.
Most companies have some kind of centralized authentication system, and many cloud applications would like to integrate with your existing authentication scheme.
From a management prospective, this is great because it makes it easy for your employees, who don’t have to maintain multiple passwords. But there’s a security implication as well: If the cloud operation is compromised, then your internal network can also be compromised.
That’s why your company needs to be very careful before choosing to integrate cloud applications into your internal authentication systems. It’s often a better choice to not integrate them and to accept the convenience penalty.
The overarching issue when moving your business applications to the cloud is that your organization is at the mercy of how security-conscious the SaaS provider is. If the provider is not doing its job to secure the application, it can lead to a direct compromise of your data. You can’t control the provider’s diligence.
While many applications will, and rightly should, make the transition to the cloud this year, if your company has an application that must be protected at all costs, a SaaS solution is probably not the answer at this time.