The Winds of Change in Cloud Security
Feb 10, 2015
Don’t be Careless with Cloud
With the healthcare and finance industries storing sensitive data in the Cloud and high profile security breaches occuring at JP Morgan and Adobe last year, everyone is concerned that a Cloud security issue could cause major reputational damage, increase remediation costs and lead to loss of client trust. However, it’s important to remember that a breach in a traditional on-premise system is also not uncommon. I read in a recent BT report (on global IT leaders’ thoughts on the Cloud) that 76% of the IT leaders cited security as their chief concern; but the interesting part is that 50% of them admitted to adopting the ‘far-less-secure’ mass market consumer Cloud services, rather than a more secure hybrid solution, designed specifically for the enterprise!
Is it all Bluster?
So, could these concerns be overblown due to a lack of awareness about Cloud security developments? I remember reading in Computer Weekly that, at the RSA Security Conference 2014, security experts discussed another survey from Intermap. This survey showed that, although 40% of the people who described themselves as “Cloud-wary” cited security as the main concern, only 15% of “Cloud-wise” respondents felt the same. Therefore, finding the appropriate Cloud service provider, who can help you become more Cloud security-savvy and has the resources to constantly update their security solutions, is clearly the key to success and peace of mind. Also, when it came to government requests for data, the experts rightly pointed out that big companies such as Google or Microsoft are better equipped to fight the legalities than individual businesses.
Are you Cloud Ready?
With 28% of applications already being hosted in the Cloud and an expected rise to 35% in 2017 (alarming or not), we are all headed towards Cloud for sure. So, how do we do it securely? Well, first it’s important to get a full Cloud readiness assessment to determine which apps and projects are suitable for migration. Secondly, it’s important to find a provider that has an innovative, customizable, regularly-updated security strategy and trusted partners in specialist areas, such as Testing.
Here are some top Cloud security considerations:
- Data Protection – classify and categorize your data sensitivity and adopt best-in-class encryption to secure the full spectrum of data, including data at rest.
- Threat Defence – ensure your provider employs intrusion detection and prevention systems, denial of service attack prevention, penetration testing, antimalware and data analytics to identify and mitigate threats.
- Network Security – securely connect multiple on-premises locations, and keep your traffic off the internet with a secure private connection to your provider’s datacenters similar to what Microsoft does with their ExpressRoute for Azure. Give your ITO better network control by getting your network traffic sent back to your on-premise location for policy validation and deploying multiple NICs.
- Identity & Access – Controlling who can see and manipulate your Cloud applications, is paramount to your security. Restrict access and permissions for sensitive resources, and ensure your reporting shows suspicious access and incidents like someone logging in from an unknown device, stopping a website or deleting a virtual machine.
Above all, I think that a change in attitude is the best way to approach designing a successful development and testing strategy in the Cloud. We should view this as a prime opportunity to reassess and enhance our security enterprise-wide. As hackers get more and more inventive, it becomes necessary to adopt such strict security measures to give your customers the confidence they deserve.