Despite the business benefits of cloud computing, analyst reports highlight that many IT decision makers are wary of the service, with security as the biggest concern. However, we believe these fears are misplaced. In fact, with the right approach, security can be a catalyst for the successful procurement of cloud services.

To embrace the cloud, organisations and their IT service partners must take a more structured approach to managing information risk. Rather than worrying about cloud security, we believe that the cloud will help focus attention on security in organisations thus leading to improved information risk management.

In order to make a relationship between an organisation and its cloud supplier work, there must be a balance between the need of the clients to understand what controls are in place and the reticence of the suppliers to over-expose themselves. So choose a partner with the right culture and demonstrable experience in handling systems and security for existing customers.

It is clear that security vendors will need to develop innovative new protection mechanisms to keep pace with the cloud as it develops, but in the meantime most organisations will have to pay particular attention to some well-documented risks:

• Avoiding the compromise of the virtual machine management layer – making sure that cloud providers can show they have followed best practice in hardening hypervisors and have an active vulnerability management programme.

• Mixing of different customers and trust levels in a single logical layer – setting clear process and technical policies for any co-residency, and being prepared to enforce these internally and on errant clients. Making use of new technologies, such as data loss prevention, and associating this with the roles and identities of business users.

• Providing comprehensive controls over privileged users – ensuring that the provider enforces a strict segregation-of-duties policy, backed up by a comprehensive monitoring and reporting approach, which forms one of the foundations of an overall governance, risk and compliance strategy.

Darren Ratcliffe is service offering manager for infrastructure-as-a-service at Fujitsu UK & Ireland; Peter Shillito is the company’s strategy manager for information assurance.

See a longer version of this article here.