Improving cloud security

July 2013

The cloud poses new challenges for data security but McKinsey has identified some best practice solutions.

Cloud computing can undermine traditional IT policies but research by McKinsey shows that companies can improve their security by using a variety of service models. A January 2013 article by analysts James Kaplan, Chris Rezek, and Kara Sprague assessed how to best protect information in the cloud.

“Refusing to use cloud capabilities is not a viable option for most institutions,” the authors said. In the corporate world, they found that “cloud-free” organisations were now “extremely rare … and in fact may not exist at all.”

McKinsey recommends that companies:

• consider the full range of cloud computing models (including community clouds and on-premises managed private cloud services);

• pursue a mixed-cloud strategy (adapting cloud services to particular tasks); and

• implement a business-focused approach (with a strong emphasis on risk management).

Direct purchasing through the cloud reduces the influence of traditional IT departments and makes “central control” of IT policy difficult. Contracting for the cloud also posed problems as shared and automated platforms can obscure the geographic location of data.

This could create legal risks for institutions which hold personal information. The UK’s Data Protection Act allows personal data to be stored in up to 31 countries (the European Economic Area) but applies strict rules on transferring data to other locations. As cloud-based procurement is relatively new, McKinsey expects that many of the legal issues involved in contracting will only be resolved by litigation.

Aggregating data and putting it into a private cloud environment also carries risks. While this may make some business processes more efficient, it also increases the potential for a major data loss. Many consultants see the dispersal of data across many platforms as an outdated and traditional mode of working. However, it does mean that data-related problems can be more easily contained.

Lost or stolen devices with sensitive data stored on them are among the greatest risks for companies: “This means that the mind-sets and behaviours of line staff and managers can have great impact on cyber-security.”

The cloud’s clearest benefits are improved transparency and the ability to “solve problems once” and roll out solutions (such as security improvements) across all cloud environments.

Separately, the not-for-profit Cloud Security Alliance (CSA) has been operating since 2008 to promote best practice in this area. In May, the CSA’s cloud vulnerabilities working group published a white paper on 172 cloud outages over 2008-2012.

The report found that the top three vulnerabilities were insecure interfaces and APIs, data loss and leakage, and hardware failure. In 25 per cent of cases, the cloud service provider could not explain the exact cause of the problem.

“We hope that the results of this research will encourage increased transparency and accountability amongst the cloud service providers,” said study leader Ryan Ko. The CSA has a mainly American membership but also has 10 chapters in Europe, including one covering the UK.

Related Articles

The future of digital public services

Harnessing the power of mapping data

Scottish local government: Connecting with citizens

Digital policing: Building a smarter force