Cloud computing necessitates that businesses redefine their approach to information security, compliance, data back up, and disaster recovery, but there can be some confusion over what security concerns the cloud may pose for data protection.
Adapted from Atmosera’s Chief Information Security Officer’s presentation at a SecureWorld conference, this article will attempt to dispel common myths about cloud security.
Myth #1: The cloud is inherently insecure.
This myth stems from the natural perception that “anything outside my control is less secure.” And we don’t have to read much news today to realize that threats to business security are everywhere and are mostly outside of our control.
But there are teams fighting every day to preserve personal and business security everywhere. Microsoft, for example, has developed an entire Digital Crimes Unit to make the Internet safer for consumers and businesses alike.
“When it comes to the cloud, trust and security are paramount,” noted Satya Nadella, Microsoft CEO.
The Digital Crimes Unit is a team of team of attorneys, investigators, forensic analysts, and engineers. They use Microsoft Azure and Power BI to capture, store, and analyze over 600 million digital security threats every single day. They’re constantly monitoring and building security into the cloud itself.
And it’s working. Microsoft has just received the Pentagon’s highest cloud security rating – Information Impact Level 5 – for unclassified data.
What can businesses do to ensure their security?
First, we recommend you develop a cloud security strategy that supports your unique business needs. This requires working with a trusted advisor with the experience and knowledge to understand the gaps between where a company is, relative to information security, and best practices and security frameworks. Through a comprehensive review process, this broad gap assessment identifies potential cloud security risks and their implications for the organization.
The next step is to create a Risk Registry, which details all known cloud security risks for your organization and will include your vendor risks. We all use vendors and partners in every aspect our business, so be sure that you document where and what your partner’s ability is to support or offset your cloud security risks. This will help you understand and have the confidence that your cloud solution and vendors have the people, technology, and processes to keep your data and applications secure.
Myth #2: Security is the responsibility of the cloud solution provider.
Cloud security is a shared responsibility between a cloud services provider and a company.
When you explore working with a CSP, you must establish:
- The role each party should play in securing your company’s data and applications
- The controls and workflows the cloud solution provider makes available to you
- The accurate time to apply the controls and workflows
You should expect the cloud solution provider to guide you on best practices and proactively help you establish a proper cloud security strategy. You and your cloud solution provider are going to become partners – with shared responsibilities.
In terms of best practices, it’s critical to remember that cloud security is much more than protecting your data and your applications. You and your cloud solution provider must consider security implications end-to-endand, especially, mind the edges.
Companies must understand best practices around the people, processes, and technology surrounding access to their data and applications and who can impact their data in motion, data at rest, and archiving data for the long-term. It’s there that vulnerabilities are most critical and omnipresent, which is why – as Microsoft’s Satya says – security and trust are so essential.
Myth #3: The larger public cloud platforms provide all the security needed.
Cloud hyperscalers, such as Microsoft Azure, have done an amazing job building massively scalable public clouds that reach all corners of the globe. They make cloud security a cornerstone of their work and invest billions to keep your data and applications safe. However, they focus on the inner core of cloud computing, which encompasses their data centers and the public facing clouds they power.
Yet, the challenge goes beyond what the hyperscalers control. In fact, most vulnerabilities lie at the edge where people and the devices they use to connect into the cloud. A proper cloud security framework must be end-to-end and consider:
- The edge: Networks including firewalls
- The endpoints: Any devices used to access data and applications
- The people: Users interacting with the data and how access is managed
What can businesses do to ensure their security?
From a strategic perspective, you and your cloud solution provider must explore exactly which workloads you want to move into the cloud and plan out how to protect them end-to-end.
- How will you design and maintain information security best practices in a cloud environment?
- Do you need to meet specific compliance requirements (e.g. HIPAA/HITECH, PCI-DSS or IRS-1075)?
You’ll need to work with all of your vendors in developing a comprehensive cloud security program. You’ll need to understand the capabilities and responsibilities that each of your vendors will take on as a part of a coordinated incident response program on your behalf, and you must have the cooperation of all of them to be able to test your plan. A competent cloud solution provider will help you with your security strategy and answer the following:
- How will you design and test your incident response plan?
- Where are vulnerabilities and how are they addressed?
- Who needs access to what data and applications?
- How will you monitor and react to possible intrusions or suspicious activities?
- How to identify a sustainable roadmap and remediate issues over time?
- How can this environment keep up with my changing business needs?
Minding the edges may seem daunting but is made easier with the right trusted partner and is essential as you consider the security of your most critical business assets.