Tips: Some suggestions for outsourcing cloud computing security

Many companies have either configured cloud computing or are about to configure cloud computing. Cloud computing is the latest technology to improve flexibility and reduce costs. By providing bundled, scalable software, infrastructure, data storage, and communication solutions, outsourcing cloud computing vendors saves money, avoids high-cost it commitments, gets the scale of an effective system on demand, and can quickly configure the latest services.

A question to consider before you walk in the clouds

However, without a free lunch, outsourcing cloud computing cannot solve the critical issue of legal risk (which accompanies third parties ' knowledge of data storage and transmission locations). This issue is discussed in this article. The following points must be taken into account when an enterprise decides to adopt an outsourced cloud computing solution.

First of all, it is of course necessary to define what we are talking about, because there are many definitions for "cloud computing". Recently, a well-known CIO defined it as: The virtual server is controlled by an organization, and the computing technology that the end user can access through the network. We define "cloud computing" as the service delivery of commercial software, the application of software and the data stored on virtual servers over the network. Outsourcing cloud Computing provides a commercial enterprise technology: The infrastructure is the service, the software is the service, the platform is the service, all these service offerings are online, and under the Web 2.0 framework. When a third party controls any part of the cloud, relevant data security, privacy, and regulatory issues arise. In a way, the problem arises when the data line is replaced by a communication scheme that bundles data from n companies. Third parties try to fully improve the efficiency of virtualization technology, and the traditional enterprise own functions (infrastructure, system platform and software) commercialization, at the same time, legal risks have emerged.

The benefit of Third-party Solutions is that business software is well established. From Third-party software solution vendors that leverage multi-user requirements to outsourced infrastructure vendors, which invest in technology solutions that are faster and newer than a single user, third parties can achieve economies of scale while reducing the cost of delivering functionality. However, there must be a risk of profitability, and the following are the risk issues that need to be focused on.

1. Storage and transfer of data

In traditional outsourcing protocols, users can negotiate with the vendor about the location of the data store (including where the backup process is going). In this way, both users and vendors can understand what kind of management method should be provided for the transmission regulations of relevant data. However, the cost effectiveness of outsourcing cloud computing is high because vendors can move data anywhere in the world and send data from one enterprise to different locations, depending on capacity, application, and bandwidth. Increased degrees of freedom will result in processing processes that do not comply with many of the world's data-storage and transfer-related regulations.

Historically, the risk commonly discussed between users and vendors in outsourcing planning is that the user asks the supplier to adopt a specific process to implement the data transfer process compliance. Without these requirements, vendors are not liable for the storage and transfer of user data. Over time, suppliers are aware that they should respond to the needs of their users, and that they must integrate these requirements into the solution to ensure a sustained growth in economies of scale. Ultimately, we believe that outsourced cloud computing providers will be able to build data-transfer-compliant components into their commercial technical services, and that the cost will be balanced by the expansion of the user's size, and that the outsourced supplier will include this cost in setting the service price.

Early cloud vendors, for example, allow customers to control the location of data storage for certain technologies through "available zones." Because each country's data transfer regulations are different, cloud providers can store data in a predetermined area (for example, the European Economic Area); With this approach, data can be continuously transferred from the vendor's European servers without a problem with the rules because the data is stored in specific licensed areas.

2. Data security

Data security and data protection are often the main concerns of outsourcing plans. The outsourcing agreement plan precisely sets the safety management technology that the supplier must adopt. The implementation of these security management plans is driven by the protection rules of sensitive data (personal data or financial data). How do you control it with an outsourced cloud computing solution? The CEO of Cisco says that cloud computing is like a nightmare of data security and cannot be controlled in the traditional way. For most companies, data security and data protection are the biggest obstacles to outsourcing cloud computing to applications that contain sensitive or confidential data.

With ASP, Telecom transmission, Service according protocol, the cloud computing protocol will gradually become one-way, and it is difficult to negotiate. For example, an online cloud vendor contract is not negotiable, and a rather biased supplier: the supplier is not responsible for data security, the user is responsible for the security, protection and backup of the data, and the supplier is not responsible for any unauthorized access, use, destruction, deletion and loss of any data.

Therefore, outsourcing contracts with cloud suppliers need to be more careful and contain less terms and conditions. Users should be concerned about whether the outsourced cloud computing solution guarantees data compliance, and ultimately, users will rely on vendor-supplied solution texts and believe that compliance is ensured (whether directly-for example, banking or medical software, or indirectly, such as interpreting specific data storage locations). As a result, the failure of the supplier to implement the user data processing process is deemed to fail to comply with the service description and be subject to compensation under the contract.

As with any outsourced program, it is a critical step to review the vendor's solution to determine control over data access. Does this vendor solution implement restrictions on enterprise data access and implement monitoring of visitors (so you know who has accessed which data)? What specifications need to be encrypted? How often is the data archived? Are all of the application software and software in the latest security upgrades? Whether the security level agreement includes this clause: the maintenance of the security system is a performance parameter.

3, replacement suppliers

Another risk to take into account with outsourced cloud computing services is to ensure business continuity (business continuity) before outsourcing services are terminated. Most outsourcing agreements agree on exit planning and transfer services, including the transfer of data in a format that can be leveraged by another vendor or enterprise internal solution. Specific cloud service agreements do not contain the terms of dealing with these issues. For example, the online cloud vendor agreement allows vendors to abort an agreement at any time without the responsibility of maintaining the data. At best, the agreement does not intentionally erase data within 30 days. You must negotiate with the supplier on termination of service, including the transfer of data to another vendor or enterprise, and you should ensure that the data is periodically transferred to the backup vendor to ensure business continuity in the event of a disaster.

4. Other risks

Many of the risks of outsourcing cloud computing solutions are the same as other outsourced solutions, but these risks are difficult to pass on through agreements. Outsourcing, for example, means transferring service-level measurement and reporting tasks to suppliers and relying on suppliers ' infrastructure to send critical performance information. In a cloud solution, the customization space is smaller. Similarly, most suppliers are less likely to compensate the user if a problem or partnership is released, unless a precise contract is negotiated. In contrast to traditional outsourcing agreements, cloud cooperation agreements offer little room for negotiation. But the price of cloud outsourcing is tempting.

II. recommendations

Because enterprises are responsible for the control of data, it is necessary to ensure that the enterprise's cloud suppliers from the regulation. Here are some useful data protection measures when implementing outsourced cloud computing:

Determine if outsourcing cloud computing is appropriate for your application. It is not appropriate to outsource if sensitive data is included.

Encrypt data before it is sent to the cloud system. Industry experts say this is a good way to reduce potential risks.

Control data access. Ensure that the vendor restricts the data visitors and ensures that the visitor is monitored.

Bearing in mind e-discovery responsibility and the need for rapid access to supplier electronic records.

Follow all the rules that must be obeyed. Because your organization must bear all the problems caused by non-compliance with data protection regulations. You must be clear about where your business data is stored, and the cloud provider must provide you with this information, so that you can self-test whether there is a risk from the subject. If the vendor does not tell you where the data is stored, you should not send any sensitive data.

Where possible, control where the data is stored. This is the best way to ensure that vendors (and, more so, users) comply with data security regulations. Limit the decision of the cloud vendor on the location of the dataset.

The terms of the agreement require the supplier to update its protection system in order to achieve the best implementation strategy in line with the industry.

Develop appropriate disaster recovery and business continuity plans. Require vendors to archive your enterprise data so that data can still be accessed when the system crashes.

The other side of the non-cloud vendor backs up and/or stores data for your business on a regular basis.

Leverage technology and regulatory audits to ensure data security and system integrity.

At the end of the contract, the data is returned or the process of vendor backup is clear.

Flexible control of relationships with outsourced cloud computing providers, leveraging service levels to ensure vendor compliance.

(Responsible editor: The good of the Legacy)