The benefits of migrating IT services to the cloud are well known and compelling, but many enterprises list privacy and security concerns as the number one reason to hesitate. Privacy and the cloud do not have to be conflicting goals. Here are four things companies should really focus on with respect to privacy and security as they consider migrating to the cloud:

Corporate Policies: Weak Policies = Weak Privacy

–
Security and privacy follow the golden rule: You are as good or bad as the weakest link in the system. In many cases, that weakest link is the corporate policy or lack thereof regarding security and privacy of corporate content. Not having a policy in place for users to follow regarding data leakage allows users to place sensitive corporate data “outside” of administrator’s sphere of control, such as a free file sharing service.

Corporations should start with reviewing their corporate security and privacy policies and convey those policies to their end-users with a plan to monitor their compliance. Know where corporate data is being stored and make sure there’s control over those places. Have strict data cleansing policies when releasing or re-assigning employees.

Service Providers: Built-in, Not an After Thought

–
One of the first things that come to mind when thinking about security and privacy and a cloud service provider is the data centers that run the services. Over the past 10 years there was good reason security and privacy were an afterthought for many data centers. Today, however, security at data centers has become a hot button issue.

The recent attacks on retail store databases and NSA snooping are all symptomatic of the attraction of massive aggregate, multi-tenant cloud providers. Service providers that are compliant with as many security and privacy industry standards as possible will help protect companies. Standards like PCI, SOX, SAS70, ISO9000 and HIPAA go a long way in ensuring the data center remains secure. At-rest encryption ensures that content remains private, to a point. Look for industry standard security compliance as well as at-rest encryption to provide a strong cyber firewall for your service provider’s data centers.

In-Transit: “Just Between You and Me”

–
Security and privacy are as good or bad as the weakest link in the system. Many times that’s not the data center, but the communications path between users and the data center. Many companies in the past solved this segment of the problem by installing complex and expensive VPN networks.

Today protocol-specific encryption (such as https and SSL) can provide equal security at a much lower cost and complexity than VPN networks. Look for service providers that can offer a range of in-transit encryption technologies from VPN to more cost-effective protocol encryption methods. PanTerra Networks, and its SmartBox service, is one of the few service providers that can deliver not only the cloud service itself, but can also provide secure, fully-managed bandwidth (including VPN circuits), improving overall security, privacy and reliability.

Client-Side: The Real Black Hole in the System

–
While significant focus in the industry has been placed on the data centers and service providers to enhance security and privacy features of their services, client-side access remains the highest risk area for security and privacy breaches. Companies can have the most secure data center in the world, but if an identity thief can get personal information, privacy is gone.

• Multi-Factor Authentication

–
One of the largest holes in security (and thus privacy) is starring at users every time they log into a file-sharing service today. Most services ask for a user name and password and then users are in. The problem is, so is an identity thief. And in today’s mobile, always-connected world, users are likely “showing” that would-be identity thief their login credentials at the airport, or bus line, or grocery store.

Users can plug this glaring hole in privacy/security by looking for cloud service providers that offer and enforce multi-factor authentication (MFA). MFA means that users (and their would-be identity thief) need at least two pieces of identification or knowledge before being able to log in and access confidential information. The most universal two pieces are 1) login credentials and 2) email boxes. Now, if the identity thief gets login credentials, they would also have to get email credentials to access content. This increases security and privacy significantly without significantly disrupting user productivity.

• Remote Device Management

–
The ability for most mobile apps to “keep you logged in” for an extended period of time (sometimes forever) is convenient, so many users opt to stay logged in. Hopefully they are logged into a service provider that required them to MFA authenticate first. But once logged in, this “stay logged in forever” now posses the next large hole in security/privacy: having a user’s device lost or stolen. A lost or stolen device in the wrong hands is a security/privacy breach that MFA can’t prevent.

Users can protect content by looking for service providers that provide remote device management/control. This means that should a device get lost or stolen, users (or your administrator) can remotely force log out and lock out the device. Some providers even provide the ability to remotely wipe any local content from the device.

If privacy and security concerns are kept in mind when selecting a cloud service, IT administrators can ensure that users will stay secure and will comply with privacy policies. Privacy and the cloud can play nice and companies can enjoy the benefits of migrating IT services to the cloud if privacy and security are thought of as built-in needs upfront.

About the Author
–
Arthur Chang is President and CEO of PanTerra Networks.
–

photo credit: perspec_photo88 via photopin cc