Cloud risk No. 3: Authentication, authorization, and access control
Obviously, your cloud vendor's choice of authentication, authorization, and access control mechanisms is crucial, but a lot depends on process as well. How often do they look for and remove stale accounts? How many privileged accounts can access their systems -- and your data? What type of authentication is required by privileged users? Does your company share a common namespace with the vendor and/or indirectly with other tenants? Shared namespaces and authentication to create single-sign-on (SSO) experiences are great for productivity, but substantially increase risk.
Data protection is another huge concern. If data encryption is used and enforced, are private keys shared among tenants? Who and how many people on the cloud vendor's team can see your data? Where is your data physically stored? How is it handled when no longer needed? I'm not sure how many cloud vendors would be willing to share detailed answers to these questions, but you have to at least ask if you want to find out what is known and unknown.
Cloud risk No. 4: Availability
When you're a customer of a public cloud provider, redundancy and fault tolerance are not under your control. Heck, usually what's provided and how it's done are not disclosed. It's completely opaque. Every cloud service claims to have fantastic fault tolerance and availability, yet month after month we see the biggest and the best go down for hours or even days with service interruptions.
Of even bigger concern are the few instances in which customers have lost data, either due to an issue with the cloud provider or with malicious attackers. The cloud vendor usually states that they do awesome, triple-protected data backups. But even in cases where vendors said that data backups were guaranteed, they've lost data -- permanently. If possible, your company should always back up the data it's sharing with the cloud or at least insist on legalese that has the right amount of damages built in if that data is lost forever.
Cloud risk No. 5: Ownership
This risk comes as a surprise to many cloud customers, but often the customer is not the only owner of the data. Many public cloud providers, including the largest and best known, have clauses in their contracts that explicitly states that the data stored is the provider's -- not the customer's.
Cloud vendors like owning the data because it gives them more legal protection if something goes wrong. Plus, they can search and mine customer data to create additional revenue opportunities for themselves. I've even read of a few cases where a cloud vendor went out of business, then sold their customers' private data as part of their assets to the next buyer. It's shocking. Make sure you have this known unknown on lockdown: Who owns your data and what can the cloud provider do with it?
Even when the cloud computing risks are known, they're difficult to calculate with real accuracy. We simply do not have enough history and evidence to determine the likelihood of security or availability failures, especially for a particular vendor, or whether such risks will lead to substantial customer damage. The best you can do is pull a Rumsfeld and least let your management in on the known unknowns.
But first, endeavor to minimize the unknown unknowns. You want as much transparency as possible; if nothing else, at least get a copy of the last successful, relevant audit report. Ask your vendor about previous instances of tenant data compromises and losses, as well as the policy on reporting them to you. Nail down as best you can the limits of the cloud vendor's responsibility. Only by asking the hard questions can you begin to understand the total risks of public cloud computing.
Although it may sound as if I'm down on public cloud computing, I'm actually a huge fan of it. I believe that most public cloud vendors do a far better job securing data than their customers do. But you need to know where your cloud vendor stands and the measures it takes to mitigate risk as compared to what your company alone could provide.
This story, "The 5 cloud risks you have to stop ignoring," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.