Whether you're a small business relying on Google Docs for document sharing or an enterprise moving your global ERP system to the cloud, you should demand that some common security and compliance requirements are met by vendors providing applications and services over the Web. These requirements involve who can access your applications and data, as well as the systems hosting them; where the data is stored; and whether the data is hosted on dedicated, rather than on shared, hardware. They also ensure that you get detailed logs of who has accessed your data and applications so that you meet corporate and regulatory standards, and they verify that data is properly encrypted -- a factor that's more critical outside the corporate firewall.
What you demand of the cloud depends on your corporate standards and your compliance needs, the amount and type of workloads you're moving to it, and how you are dividing administrative and security responsibility between your staff and your provider. Security requirements also vary depending on whether you're using software as a service (SaaS), infrastructure as a service (IaaS) or platform as a service (PaaS) offerings. But you should at least consider each of the following questions in your cloud security plans.
1. Who has authentication/access control?
The ability to prove that users are who they say they are and control the data they can see and the functions they can perform, based on their identities and roles, is the top priority of almost every cloud user interviewed for this story. Authentication can be the most challenging when you maintain user information and controls within the firewall using a repository such as Active Directory but host your servers and applications in the cloud.