Tuesday, April 3, 2012

Data control in the cloud

Controls include the governance policies set in place to make sure that your data can be trusted. The integrity, reliability, and confidentiality of your data must be beyond reproach. And this holds for cloud providers too.

For example, assume that you’re using a cloud service for word processing, a skill you can learn by taking online classes. The documents you create are stored with the cloud provider. These documents belong to your company and you expect to control access to those documents. No one should be able to get them without your permission, but perhaps a software bug lets other users access the documents. This privacy violation resulted from a malfunctioning access control. This is an example of the type of slip-up that you want to make sure doesn’t happen.

You must understand what level of controls will be maintained by your cloud provider and consider how these controls can be audited.

Here is a sampling of the different types of controls designed to ensure the completeness and accuracy of data input, output, and processing:

✓ Input validation controls to ensure that all data input to any system or application are complete, accurate, and reasonable.

✓ Processing controls to ensure that data are processed completely and accurately in an application.

✓ File controls to make sure that data are manipulated accurately in any type of file (structured and unstructured).

✓ Output reconciliation controls to ensure that data can be reconciled from input to output.

✓ Access controls to ensure that only those who are authorized to access the data can do so. Sensitive data must also be protected in storage and transfer. Encrypting the data can help to do this.

✓ Change management controls to ensure that data can’t be changed without proper authorization.

✓ Backup and recovery controls. Many security breaches come from problems in data backup. It is important to maintain physical and logical controls over data backup. For example, what mechanisms are in place to ensure that no one can physically get into a facility?

✓ Data destruction controls to ensure that when data is permanently deleted it is deleted from everywhere — including all backup and redundant storage sites.

