When moving operations to the cloud, an organization must put a lot of faith in their cloud service provider. After all, the organization is turning over valuable data -- and its security processes -- to another party.
The key to alleviating cloud security risks is doing your homework, both on the vendor and their processes for handling data, said Eric Holmquist, managing director at governance, risk and compliance management firm Accume Partners.
"We've got to ask really hard questions about how people manage this environment," Holmquist said during a SearchCompliance /SearchSecurity webcast on cloud security. "It's very important to have very clear processes, policies, procedures and expectations about how things are going to be managed."
More on cloud security risk
Preparation necessary for successful cloud security strategy
Regulatory compliance complicates nonprofits' use of cloud computing
Holmquist recommends using readily available risk management frameworks such as COBIT and ITIL to temper cloud security risk. Another key is to set clear expectations of the cloud service provider and to delve into the provider's business background.
Past security breaches, regulatory violations and legal issues should all raise a red flag when looking to select a cloud provider, Holmquist said. It's also important to become familiar with the provider's business model, as well as how and where data will be stored, he added.
"You need to be very clear about where your data is going to be and how they are going to manage that," Holmquist said. "When it comes to risk management and information security, we really have to go to extraordinary lengths to think about what the points of exposure are and where they could be compromised."
Holmquist points out that there are many benefits to cloud computing, but there are numerous cloud security risks to consider. In the cloud, potential concerns around insecure interfaces and co-tenancy make due diligence vital to choosing a cloud provider.
"If we are going to manage effectively, we've got to honestly look at all three areas: the benefits, the costs and the risks," Holmquist said. "In the end, it's what you don't know that will bite you."
In this video, get more tips on evaluating and managing relationships with cloud providers as Holmquist and former Accume senior manager Jason Novak discuss best practices for implementing a cloud security risk management strategy.