No discussion of cloud computing goes far before the topic of security rears its ugly head.
Yet as many analysts report, the economics of cloud computing have become so irresistible that even die-hard opponents, who fear confidential information will be stolen or service outages will hurt their business, are starting to make the shift. Saving money on hiring staff and buying servers simply makes so much business sense.
On the other hand, according to the annual Norton Cyber Crime Report
, the proceeds from cybercrime topped US$338 billion in 2012, more than the US$288 billion take of the global black market in marijuana, cocaine and heroin – and that’s just what we know about.
But we would argue that the real issue is not cloud security. The real issue is poor security and risk management frameworks, regardless of whether the enterprise uses internal or external platforms.
The Security Challenge
Today there is genuine uncertainty about how to manage IT security in the cloud. Recent independent research
and Cloud Security Alliance revealed that 89% of the global information security workforce lacks clarity as to how security applies to the cloud, and 78% of information security professionals lack understanding of cloud security guidelines and reference architectures.
So how can companies make their corporate data safe, including financial data, when processing it outside the organization? Ultimately, the ‘security challenge’ comes down to an understanding of business needs and any associated risks.
To take advantage of the cloud, there are several critical success factors you should consider to help secure your assets.
Know your data. First you should assess your assets since anything to do with the cloud is an exercise in risk management. How much of your data is in fact valuable, unique, or sensitive?
You may be shocked with the analysis. Among our clients, many multinational organizations have been surprised to find the majority of the information they store, including those around financial management, just needs the minimal level of security.
Assess your capabilities. Secondly, you need to take a hard look at your own capabilities. Just because you control your data in-house does not automatically make it secure. Research suggests that most organizations have experienced cyber security breaches, but they often do not realize it.
In reality, we believe that some cloud providers actually provide a higher quality environment than most businesses today – simply because it is their job to safeguard their customers’ data.
Understand the cost. You also need to clearly understand the true costs of internal versus external data storage. It is important to calculate the risk against potential reduced costs.
To do this you should consider the data sensitivity and the benefits of processing it externally. Of course, some information including data from Human Resources or research and development is just too sensitive for some companies to entrust to a third party.
Education, SLAs and Audits
So you’ve decided to sign up with a cloud services provider? Make sure you adopt these other success factors to help safeguard your data.
Security awareness. Employees have a vital role to play in preventing unauthorized access to corporate resources and processes. This can be done if companies implement a role-based management system that assigns roles to employees. System privileges and data access can then be bound to those roles by establishing a security awareness and education practice in the business.
Federated identity systems, an arrangement where subscribers use the same identification data to obtain access to the networks of all enterprises in the same group, can also be extended to the cloud. This will allow protection of cloud-based applications and data using internally developed authentication policies and access privileges.
Service Level Agreement. SLAs also play a role. Companies should look at the service levels that providers offer. For example some providers offer a set level of uptime for their software-as-a-service (SaaS) infrastructures, along with a payment guarantee if they don’t perform.
Commodity cloud providers – providers that offer barebones and standardized services and do not allow customized hardware or infrastructure configurations – are typically very weak in their SLAs. Most businesses should look at enterprise-grade cloud providers for business-quality SLAs.
Regular audits. Make sure you regularly audit your cloud service provider.Like any utility company, a cloud-based service provider should be willing to tell customers how it deals with internal problems.
How does it safeguard against disruption? How does it reach out to customers in the event of a problem, and what is its escalation policy?
Benchmarking is also important in evaluating a company’s security posture. But be warned. Security standards designed to focus explicitly on the cloud are still relatively immature. There should, however, be some reassurance about the security of a cloud service provider if it’s certified using broad industry standards such as ISO 270001 and the emerging Cloud Security Alliance
And Don’t Forget to Back Up
Whatever you do in life you should have a back-up plan. Not everything works out as planned all of the time, and cloud-based services are no exception. Just look at the news over the last couple of years to see the problems that significant cloud providers have experienced.
But much like backing up the data on your personal computer, you can also back up cloud-based data locally – although it does depend on what model you’re using.
For example, infrastructure-as-a-service (IaaS) provides virtualized machines in the cloud, giving companies maximum flexibility for backups. Customers can further protect themselves by using the IaaS supplier’s infrastructure as a secondary, overflow reserve of computing and storage power to cope with peak demand, rather than relying on it entirely as the primary computing mechanism.
There’s also platform-as-a-service (PaaS), which provides software frameworks and software libraries on which applications can be deployed. Many PaaS offerings have backup options.
It’s even possible that some software-as-a-service offerings can be configured to provide local backup for a company’s HR information or regional financial reports.
Having a weak security strategy risks not only huge financial losses, but also severe damage to an organization’s reputation and brand. Ultimately, businesses must understand their own responsibilities as custodians of their data, and their customers’, irrespective of the third party providers that they use.
After all, if the worst happens, it is the company’s credibility on the line.
About the Author
William Yeack is President of Asia Pacific at NTT Com Security (formerly known as Integralis), which helps organizations lower IT costs and increase the depth of security protection, compliance and service availability.
Photo credit: Shutterstock