You’re a small business owner (chances are, if you’re
reading this blog that’s exactly why you are here in the first place), and you
are considering using a hosted service to manage some or all of your
information technology needs. I can understand why you might want to do that.
You have a business to run – and all of the productivity issues that come along
with that. The last thing you want to spend your time dealing with is
Information Technology. Yet, IT is necessary in some form for almost any business
anymore. It is a necessary evil for the not-so-technically minded, and even for
those who are a little tech-savvy. And a small business might not have the
budget to support full-time IT staff. So when a company comes along that offers
to host your information, or maybe just provide a particular software package
that will make your life easier, it sounds like a great idea.
And in some cases, it might be. There are some
considerations though.
·
The type of business
·
The type of information
·
The type of service
·
Regulatory requirements
Security in cloud environments has advanced since cloud
computing first became popular. There was a time when I cringed at the thought
of any information placed in someone else’s hands. I’ve since softened in my stance, but only
under certain circumstances:
·
The business isn’t entirely based on financial,
medical or personal identifying data.
·
The business is comfortable with relinquishing
the level of control of that service type.
·
The service type is well-matched to the information
to be handled.
·
Any information covered under regulatory
requirements is handled to those requirements.
To clarify, the service types are:
|
SaaS
|
Software as a Service – the service provider generally has total
control of the environment, and the customer accesses their information via a
web browser or client software.
|
|
PaaS
|
Platform as a Service – the service provider offers a base platform
and the customer runs their own software on it. The customer has more
control, but little back-end access.
|
|
IaaS
|
Infrastructure as a Service – the service provider offers the
hardware and network access, and the customer builds their own solutions. In
this model, the customer has more control and can sometimes even configure
network security such as firewalls.
|
As an example, the PCI Security Standards Council recently issued
a supplement to the PCI card security standard, specifically laying out
guidelines for cloud computing. Many small businesses that do retail business
over the internet have flocked to cloud service providers to handle their PCI
transactions, due to the stringent nature of the PCI standards and the cost of
implementing such standards for the smaller business. The PCI Security
Standards Council has provided the guidelines to help businesses and providers
determine who is responsible for what part of securing data based on the type
of service and the agreement between
the business and the provider.
The key word is agreement.
Due diligence needs to be done by the business to assure the provider agreement
includes the proper security requirements. The responsibility of securing data
cannot be left to an assumption, even if it is based on the guidelines provided
by the PCI SSC.
This practice should be followed no matter what the type of
information or service. As a small business owner, be aware of the information
that is going into cloud services and how it is being handled. Be sure the
agreement with the provider specifies exactly who is responsible for what, and
hold them to that agreement. If your information is regulated in any way,
assure the agreement covers the regulatory requirements. And remember – even
though your information is being handled by someone else, ultimately, it is
your company’s reputation at stake if something goes wrong.
No comments:
Post a Comment