From: Association of Corporate Counsel
Paul A. Ferrillo and Jeffrey D. Osterman | Weil Gotshal & Manges LLP
***
From a data security perspective, though, there are certain security measures that should be investigated by potential cloud customers before they make the decision to move their data to a cloud-based environment. This area is highly technical (and thus security professionals and cyber-governance and cybersecurity lawyers should also be consulted before making this decision), but we try below to boil down these measures into objectives for directors and officers to consider when asked to finally approve a move to the cloud:
- How is security built into the cloud architecture and applications and data that are going to be moved to the cloud-based environment? Is there a constant lifecycle of updates and vulnerability reviews given that the computing ecosystem is never static?
- What data am I putting in the cloud? Is it general company HR data, customer PII, financial records, or something else less sensitive?
- Will the data stored in the cloud be encrypted while at rest or only when it is in motion to and from the cloud? What sort of encryption is available at my CSP?
- How is suspicious activity monitored on the cloud?
- By the CSP only, or will the customer have visibility into security monitoring? Will cloud security be continuously monitored by the CSP?
- What degree of visibility does the CSP make available to the customer (audit logs and metadata recording administrative changes, account usage, system logs, etc.), and can this data be flexibly consumed into your own internal security monitoring systems?
- What sorts of intrusion detection systems are in place to detect threats to the cloud-based environment, such as malware threats, or suspicious network traffic?
Leave a Reply