What do you really know about the cloud security of your business?
According to Gartner, while some organizations still aren’t ready to embrace cloud computing, 80 percent indicate a propensity to increase investments in cloud computing in years to come.
Currently, Infrastructure as a Service (IaaS) and Software as a Service (SaaS) are the most widely used cloud services. The challenge for existing cloud users and those considering adoption is that there is not one single cloud security approach, according to Ruggero Contu, research director at Gartner.
Whether you embrace it or not, you need tocater to the cautions and demands of cloud security. Security concerns are most frequently the reason organizations avoid public cloud services. The reality is that cloud service providers typically have the ability to support more effective security systems and platforms than are practical for most individual businesses.
So, what do you really know about the cloud security of your business?
- Approximately what percentage of the total applications in your organization are cloudbased?
- Approximately what percentage of content that is uploaded to cloud apps do you believe is sensitive?
- Approximately what percentage of sensitive content that is uploaded to cloud apps do you believe has been shared with unauthorized individuals or individuals outside of your organization?
- How many cloud apps do you believe are most used on employee BYOD mobile devices and/or unsecured devices?
- How many cloud apps do you believe are in use for business purposes in your organization?
- Which cloud app categories do you believe are the most risky based on your organization's definition of risk?
As cloud technologies and processes mature, the cloud is being increasingly relied on as a vehicle for agile, scalable and elastic solutions. To build competitive advantage and cut costs, CIOs and other IT leaders need to constantly adapt their strategies to leverage cloud capabilities.
What are 5 things you need to know?
Policies & Procedures
According to the Cloud Usage: Risks and Opportunities Survey Report by the Cloud Security Alliance a quarter of respondents don't have security policies or procedures in place to deal with data security in the cloud. Cloud security architecture is effective only if the correct defensive implementations are in place. There need different types of cloud security controls such as Deterrent, Preventative, Detective, and Corrective controls in order to reduce the efficacy of attacks and defend weaknesses in the system. Cloud infrastructure must be governed and there should be audits for compliance to make sure the policies put in place are enforced and processes and tools are working as planned. These policies will also need to be regularly updated with the adoption of new technologies such as the Internet of Things (IoT).
The greatest threat to cloud security is your own employees. The 2015 Data Breach Forecast by Experian found that employees were the main cause of about 60% of security incidents. Although this type of breach doesn’t make the news in the same way that outside hackers do, the threat of malicious insiders, unauthorized use of cloud services and tools, or negligence of employees not knowing or following policies already in place must be taken seriously. An Identity Management System should be integrated into the cloud infrastructure with encryption to make sure that only the correct employees have access to personal and sensitive data. Work with your cloud provider to ensure that logs and audit trails are in place, secure, and maintained so you know who made what changes and when.
Physical Security & Disaster Recovery
Cloud service providers physically secure the IT hardware - servers, routers, cables and more - from unauthorized access and natural disasters while also ensuring essential supplies like electricity are available to prevent and minimize disruptions.
When choosing a cloud provider make sure they have a Disaster Recovery (DR) plan for data continuity and recovery. The worst case scenario is that their systems crash rendering all your data inaccessible or even unrecoverable so they must have an emergency plan to mitigate against these risks.
Service Providers & Staff
A cloud service provider must be able to ensuring their cooperation if information in the cloud is required for litigation or a government investigation. The service provider should also be able to implement the organization’s retention and disposition policies.
When hiring your IT staff, it is essential that they have a comprehensive understanding of the security models and security technology needed to manage in a cloud environment. Depending on the size of the organization, there may be a need to hire a cloud security specialist whose chief responsibility is to keep the company's operations in the cloud as secure as possible.
Be aware of the many information security concerns relating to personnel associated with cloud services such as security screening of potential recruits, security awareness and training programs, proactive security monitoring and supervision, disciplinary procedures, contractual obligations part of employment contracts, service level agreements, and codes of conduct.
When it comes to cloud security don’t forget about privacy protection for critical and sensitive data such as credit card numbers, retention and disposition protocols, eDiscovery, and global/federal/regulatory compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS). An enterprise must find the right balance to ensure that business units can reap the benefits of cloud storage while mitigating the risks and threats of cloud computing such as data breaches, insecure APIs (application program interfaces) and malicious insiders.