|
 The UK Centre for the Protection of National Infrastructure (CPNI) has published a briefing note offering guidance on cloud computing security and risk management. It is based upon a research document compiled on behalf of CPNI by Deloitte.
Key findings within this briefing include:
- In cloud computing, IT operations are outsourced to the cloud; the risk is not. Accountability for customer (and business) sensitive data resides with the cloud customer.
- There is a lack of accepted cloud computing standards at an EU or worldwide level.
- Third party cloud provider assurance and risk assessment activities are critically important for customers storing data in the cloud. The large number of third parties involved in the cloud, and its geographical dispersion, means that risk assessment activities are likely to be more complex, time consuming and costly.
- There are a number of IT data recovery risks associated with hosting data in multi-tenanted data centres, including the corruption of customer data, overloading of computing resources and proving the service meets disparate IT disaster recovery requirements.
The key recommendations for customers of cloud computing are:
- Customers should consider both customer-managed security controls such as encryption and identity management, as well as contractually agreed standards covering the right to audit, use of physical security, protective monitoring, data segregation controls and vulnerability management processes to secure their data in the cloud.
- Customers should give particular consideration to the laws governing the interception and disclosure of their data for all jurisdictions in which their data is stored or transmitted across.
- Customers should pursue a programme of assurance activities on their cloud providers to ensure contractually agreed standards are being met.
Read the briefing note (PDF).
•Date: 22nd March 2010 • Region: UK •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here
|
