The cloud is growing without a doubt. International Data Corporation (IDC) predicts that more than 65% of enterprise IT organizations will be involved in hybrid cloud technologies this year. More and more companies are utilizing various aspects of cloud computing to assist in their IT infrastructure, provide applications to their employees, and store important data. Since the cloud is growing so rapidly and showing no signs of slowing down, it is extremely important for organizations to consider how the security aspects of cloud computing can affect their business.
As with most areas of technology, cloud computing is outpacing security. A proactive approach to security for cloud resources, however, can mitigate future trouble and provide a safe and accessible resource for your company.
When dealing with the cloud environment there are some important factors to keep in mind. Explore the different cloud functionalities and ask several important questions: Do any regulatory bodies or rules regarding data transmission and storage govern your business? How does that governance affect your data?
Below are tips to help you better understand cloud computing, protect your organization and keep your data secure.
Tips to Understanding Your Cloud Environment
- Learn your environment and your cloud provider.Responsibilities can often vary depending on which service model you adopt. Make sure you define your organization’s responsibilities and the provider’s. Each environment has a separation of duties that must be explicitly detailed in the statement of work. This can be applied to security and privacy issues as well. If your cloud provider is giving you assurances about security, or if they outsource to another vendor, it is incumbent on your organization to verify their claims independently. When an incident or data breach occurs, the finger-pointing will start almost immediately. It will help if you have verified these claims beforehand.Ask to review the provider’s policies, procedures and controls to assist in assessing their current security profile. Do not assume that they use good security practices, verify it. Analyze the details of the cloud environment and architecture to provide a snapshot of the protections afforded by their controls. This can go a long way toward helping you mitigate risk and institute new procedures based on the new cloud services.
- Satisfy your own requirements before settling on a cloud provider.Many public cloud providers offer default settings that may not meet your organizational security and privacy requirements. Default settings are a sure recipe for disaster, and should be avoided with any technical item, whether physical or software based. The same holds true for the cloud. Reviewing the cloud provider’s settings, and conducting a risk assessment based on your own policies and procedures, are of utmost importance to ensure you are adequately protecting your data.Many cloud provider service agreements include terms of service, prescribed completely by that provider. Make serious efforts to negotiate service agreements rather than accepting the blanket agreements provided. You can include references to security, incident response, handling of evidence and a host of other extremely important security issues in a negotiated agreement that would typically be left out of a generic one.If you feel unprepared to negotiate an agreement, or financially cannot afford it, then you can employ compensating controls to offset any identified weaknesses in your provider’s service. Deciding on a cloud provider can be a massive financial business step and should not be undertaken without some preparation. You can research different cloud providers to find the one best suited to your requirements. There is more than one cloud provider available!
- Recognize server/client side issues when dealing with cloud providers.Many cloud computing resources utilize a server and a client side. Do not overlook one side in favor of the other. Depending on the service or the provider, you may find extra demands being placed on your client side. These extra demands can cause complications during an incident response or a data breach, and should be considered prior to implementing a cloud solution.The cyber world is constantly changing, bringing with it new demands for resources and functionality. Maintaining physical and logical security of clients can be a source of frustration in regular circumstances. In many instances, cloud applications are delivered to mobile devices via a custom built client-side application (app) rather than a web browser. This can bring increased security risks and should be assessed prior to implementation.
- Consider accountability for your data, whether it is in the cloud or stored locally.Maintain accountability for your data and applications even when they are deployed in cloud environments. Whether using traditional or cloud-based functions, accountability for your data must be carefully considered. Knowing your systems, your users, and your data can assist you greatly in providing adequate security and privacy accountability.
When determining how to proceed with a cloud solution, these simple ideas will help you identify risks and security gaps that could adversely impact your data. Don’t rush into obtaining a cloud service just because everyone else is doing it. Take the time to conduct research, perform document review and talk with your provider about your security concerns. Ask them if a negotiated contract is acceptable and then work with your provider to ensure that all of your security, privacy and accountability concerns are addressed, before you sign on the dotted line!