How safe is the cloud?

Cloud based services (SaaS) is really starting to take off now and the time feels right to start seriously considering cloud based applications. However, I have one niggling concern - data security.

Some major organisations have been the victims of successful hacking attacks in recent times and some of these are actually technology companies themselves.

This raises some very serious questions for employers adopting cloud based HR systems, which potentially hold sensitive data about their employees.

The obvious ones are, how secure is the service provider's system?
and, how do they ensure it stays secure?

I can't help wondering what the consequences would be if a large organisation's employee records were accessed by hackers.

Does anyone else have any concerns about this or am I just being paranoid?

You bring up some relevant points. Here is a good article from Deloitte's website on HR and the cloud HR in the Cloud: It?s Inevitable | Human Capital Trends 20| Deloitte Consulting interesting stuff.

Quote:

---

Originally Posted by Brad@Triscope

You bring up some relevant points. Here is a good article from Deloitte's website on HR and the cloud HR in the Cloud: It?s Inevitable | Human Capital Trends 20| Deloitte Consulting interesting stuff.

---

Under "Lessons from the front lines" it says;

"Security. SaaS security may be as effective as security associated with in-house data centers, but many companies just don’t have the comfort level to go down this path. And even some early adopters are keeping particularly sensitive applications in house.

Surely where the SaaS service was located geographically would also be an important factor. At the end of the day the weakest point in security is usually human beings!

This is a very good question and I come across it all to often. Any decent and creditable company will have processes, procedures and technology in place with relation to security and should easily be able to demonstrate such features to prospects and clients.

At ADP we have many levels of security from encryption to the Bunker which only select employees have access (this can address your fears that most security issues are human beings). We also find it important to limit security details on the web due to the importance of top level privacy, but we are happy to discuss in person if you are still evaluating.

Have a look at the link attached and feel free to contact me via email:
brian.schultink@adp.com

The above is all very true, however there is a problem with this though…it is to do with information security – you can put things in the cloud, but then who owns the data?

You can have every security certification in the world, but if you don’t control the cloud you have put your information in…who is to say who has access to that information….

Indian CIOs' cloud concerns - Times Of India


Remember, you may have all the security you need for your information but the server room is not locked………anymore....

I wonder how many of the contributors to this topic hold bank accounts that they access online? We can easily develop "hysteria" about security of data but then contribute towards it in some other way.

I don't see that data "in the clouds" (providing security levels are the same as those that banks have) is any different to having your money available to those people with the "keys to the server room"?

How secure your "cloud server" is can be easily identified; the banks are happy to share their data security ratings - just check it out and then compare.

Quote:

---

Originally Posted by HRMSAustralia

How secure your "cloud server" is can be easily identified; the banks are happy to share their data security ratings - just check it out and then compare.

---

There is a BIG difference. The banks are very much a known quantity. They are multi billion dollar operations and have large numbers of people working on data security. They maintain constant vigilance over their systems, which they themselves manage.

This doesn't compare in any way with a small software company who develop cloud based apps that are served via a third party data centre, possibly through an intermediary company.

I'm not saying that every single provider of cloud based applications is insecure, also the security risk has to be weighed up taking into account the sensitivity of the data being stored in the cloud.

That said, there is no doubt that HR records are sensitive and employers have legal responsibilities pertaining to that data courtesy of the Privacy Act.

So before putting your HR data into a cloud based app I would be asking some very pointed questions about how the security of the data is ensured, on a continual basis. Where the data is physically stored, how it is backed up, and possibly the financial viability of all companies in the chain of service provision.

Bear in mind also, that security ratings, guarantees and even compensation will be little comfort if your data is lost, or worse falls into the wrong hands.

If your bank account gets hacked and someone steals your money, the likelihood is that the bank will simply reimburse you and restore your account - it's just money. But if someone illegally accesses your HR records the consequences could be far more serious.

Don't just take my word for it, even Apple's co-founder Steve Wozniak is concerned about it - Apple Co-Founder Steve Wozniak Thinks Cloud Computing Will Be 'Horrendous'

You might want to contact Ernst & Young - they've a specialist IT Forensics group who may be able to advise or refer you to someone who can. For starters, you could try
simon.ezard@au.ey.com or Tel: 03 9288 8808

But if in the market for a cloud based product, I'd not be going with a new / unproven product and would certainly be asking for evidence and undertakings from vendor that their product is safe. Without that I wouldn't purchase. So in best interests of the vendor or provide clarity and peace of mind around this issue.

This is from a report titled "Gartner: Seven cloud-computing security risks"

Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

Here are three simple tips from Symantec

1 - Lock down access to your data. The fewer the people that have access, the fewer potential, leaks and access points that could be compromised.

2 - Keep corporate and personal information separate. Do not allow access to data on personal devices,a s these can be easily compromised and the security updates are not often performed.

3. Make sure to back up your files. This is still more effective at protecting and storing data, than on the cloud.

Quote:

---

Originally Posted by Moz

This is from a report titled "Gartner: Seven cloud-computing security risks"

Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.

1. Privileged user access. Sensitive data processed outside the enterprise brings with it an inherent level of risk, because outsourced services bypass the "physical, logical and personnel controls" IT shops exert over in-house programs. Get as much information as you can about the people who manage your data. "Ask providers to supply specific information on the hiring and oversight of privileged administrators, and the controls over their access," Gartner says.

2. Regulatory compliance. Customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this scrutiny are "signaling that customers can only use them for the most trivial functions," according to Gartner.

3. Data location. When you use the cloud, you probably won't know exactly where your data is hosted. In fact, you might not even know what country it will be stored in. Ask providers if they will commit to storing and processing data in specific jurisdictions, and whether they will make a contractual commitment to obey local privacy requirements on behalf of their customers, Gartner advises.

4. Data segregation. Data in the cloud is typically in a shared environment alongside data from other customers. Encryption is effective but isn't a cure-all. "Find out what is done to segregate data at rest," Gartner advises. The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists. "Encryption accidents can make data totally unusable, and even normal encryption can complicate availability," Gartner says.

5. Recovery. Even if you don't know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster. "Any offering that does not replicate the data and application infrastructure across multiple sites is vulnerable to a total failure," Gartner says. Ask your provider if it has "the ability to do a complete restoration, and how long it will take."

6. Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud computing, Gartner warns. "Cloud services are especially difficult to investigate, because logging and data for multiple customers may be co-located and may also be spread across an ever-changing set of hosts and data centers. If you cannot get a contractual commitment to support specific forms of investigation, along with evidence that the vendor has already successfully supported such activities, then your only safe assumption is that investigation and discovery requests will be impossible."

7. Long-term viability. Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event. "Ask potential providers how you would get your data back and if it would be in a format that you could import into a replacement application," Gartner says.

---

I think it's a great list of core points to start. As a cloud Human Resource technology provider with over 10 years of experience I can say the cloud does have some additional challenges e.g. ISP's, DDOS attacks on providers, DNS and hosting. But it offers so many more advantages - in addition our professional teams I believe provide many more security advantages

1) Setup for 24X7 security & performance monitoring
2) Proven DR procedures with mutiple offsite and format backups
3) Flexibility of private VS public cloud
4) Separate databases
5) Highly restricted access controls & security layers
6) Separation of access tiers
7) Encrpyted File Systems
8) Encypted application traffic / regular application and infrastructure management and testing

I'd tend to argue inhouse or on premise applications face as much if not more risk in todays connected world.

If you looking for a cloud HR provider - or have any questions feel free to contact us at ActionHRM

Regards

Adam Kelly
and check out our blogs for thoughts on HR and technology

Quote:

---

Originally Posted by actionhrm-australia

I'd tend to argue inhouse or on premise applications face as much if not more risk in todays connected world.

---

Adam, your points are of course also valid, but as you would know, not all cloud HR service providers are equal and every one is likely to be subject to continual change and also be reliant on other service providers upstream.

So if you decide to go down the cloud HR path, contract genuine specialists to do your due diligence before deciding on a provider, then redo the due diligence every 12 months.