As we continue to look at the basics of cloud computing and security, we look at what your vendor should provide. The most frequent approach is to have one provider that is your source for both the software and hosting. If that is your software company, they are probably outsourcing the hosting to another company and will manage that hosting relationship for you. You may choose to host your software yourself.
Regardless of who provides the hosting, there are three things you should expect from your cloud software vendor/hosting service:
Prevent Hacker Access – through encryption over the cloud and targeted access within the application
Provide Physical Security – restricting access to the facility, monitoring the systems at all times and providing a consistent, and consistently accessible, physical environment
Disaster Preparation – being able to keep your data protected and available in case of any physical disasters
Prevent Hacker Access
With all the news of records being stolen from places as diverse as Target and the California Department of Motor Vehicles, access to personal information is on the minds of all of us who deal with data. While there are strong advocates for a variety of different approaches to security, it takes a combination of techniques to discourage hacking attacks.
At the forefront is a password system that is strongly encrypted. Encryption generally involves “salting” with meaningless characters scattered throughout the password. This makes it difficult for hackers to attack when they intercept a web transmission because of the length and randomness of the password. As discussed in an earlier blog entry, the site should also be secured so that any data used during the process is encrypted as it moves from computer to computer.
Password usage within an application can also have a huge impact on security. Software users should only be given access to data they will use on a regular basis. This way, even if somebody hacks a password and gains entrance to a system, the data available to the hacker is limited.
Provide Physical Security
Most identity theft still comes from paper trails and physical access to computers rather than through online hacking attacks. This means that hosting providers must be extremely careful about who enters their facility and who has access to what information. ID badges should be required, even for visitors. Different levels of physical access should be granted depending on what tasks the individual is responsible for. Access to the data in client files should only be granted for the chosen few.
In addition to the physical access, a safe environment must be provided. Safety from human intruders, of course, but also technical issues like clean electricity that keeps the servers running. And a consistent temperature environment that keeps them from overheating. And constant monitoring of both the environment and activity levels just to be sure nothing unusual is happening. The best way to tell how your hosting provider is doing to to take a look at “uptime”. This is the amount of time your system is up, running and available. Your uptime will be expressed as a percentage and should be in the very high 90’s.
When systems do fail, your vendors should provide a disaster recovery that gets you up and going quickly. Hardware failures should be anticipated and have available redundant servers and hot-swappable drives that can get you up and going in literally no time. Monitoring allows technicians to spot problems as they are happening, swap out the malfunctioning hardware and, in many cases, keep you from ever seeing that there was a problem.
In addition, hosting providers have to be prepared for natural disasters. Multiple locations across the country can help mitigate the impact of one serious storm on an area and power availability. Buildings have to be storm and tornado proof with a long term source of power. As we have seen from this past winter, it can take days to get regular power restored. You don’t have days to access your data – you need it now. All of these precautions can help make sure the data is available when you need it.
So, what have we covered so far?
Cloud Basics – Secure/Encrypted Access, Browser-Centric Applications, Browser Security
Vendor Security – Preventing Hacker Access, Physical Security and Disaster Recovery
Our next post will talk about what you and your staff can do to improve your security.