A clearer view of cloud computing security now that the haze is gone

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

The cloud is here to stay because most organizations are looking to the cloud for "extension" -- the capability to take their business in new directions faster, rather than simply as a method of cost management. And now that the hype haze has disappeared, we have a much clearer picture of how to get the best from the cloud.

This is a crucial time for IT managers. The cloud computing and consumerization (BYOD) technology waves are changing the distribution of IT control: Users are taking more control of the devices they use; business managers are taking more control of the budgets; and service suppliers are taking more control of the data they handle. CIOs and IT managers who want to contribute to their organization's acceleration in 2012 need to be able to coordinate these different elements in a much wider scope than ever before to retain control. It's time to adapt or be swept aside.

IN THE NEWS: Amazon opens up about its cloud security practices, joins CSA registry

MORE: Experts explain greatest threats to cloud security

While traditional information and communications technology approaches focus on owning and controlling resources, assets and contracts, a practical and balanced benefit-risk cloud assessment involves new ways of thinking and a shift of focus on accessing evolving services.

Part of the pragmatic trade-off is identifying and tackling the biggest security concerns associated with the cloud: corporate data confidentiality, privacy, compliance, and the integrity of services and/or data. Some enterprises try to protect everything against every imaginable threat; others spread whatever they can afford evenly, hoping this will keep attackers at bay.

Instead, finding the right trade-off for your organization involves determining your organization's appetite for risk -- i.e., the amount of risk you're prepared to take in each area of your operations. Then you can start to think about not just the defenses you need to put in place but the processes you need to enforce your security policies. And then you can initiate the cultural move from a zero-risk/zero-breach mentality to a predict-and-prevent/risk-resilient mentality.

Here are eight essentials to keep your data secure in the cloud:

1. Plan and research. Understand exactly what you want to achieve and what type of data you want to move to the cloud. Research the market and the different services, service level agreements and security features available. Investigate hosting and find out the regulatory implications of data being stored in different countries.

2. Look for a supplier you can trust. You need a relationship grounded in a shared understanding of accountabilities and expectations.

3. Outsource responsibility responsibly. Use the tools that are there to protect your organization against risks -- contracts, governance frameworks, due diligence procedures, and insurance policies.

4. Put your prospective supplier under the microscope. Find out who within the supplier organization will have access to your data; ask for audit logs, details of compliance certification, or info about a recent audit that they can share.

5. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organizations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Work to help these teams understand the value of the cloud, or they may become strategic barriers.

6. Protect your data. Use strong authentication. Encrypt your data when stored and transmitted and keep access to your encryption keys within your organization. Make sure data no longer needed is permanently erased from computer memory and storage.

7. Prepare to prevent DDoS attacks. Attack via denial of access to legitimate users is relatively common. However, with the right planning, cloud systems are highly resilient against simple flood attacks and excel at ramping up more bandwidth and resources in the face of gigabytes of malicious traffic.

8. Review regularly. Seek independent audits of suppliers' offerings to ensure they are still the best-in-class and best fit for your needs. Test your systems and procedures, and remember to review the human elements, too.

Ultimately, the benefits of moving to cloud architecture are widely accepted and potentially huge: increased agility due to rapid provisioning and de-provisioning of resources, significantly reduced capital expenditure and fixed costs, easy availability of services to a mobile workforce, less time spent managing technology and software and more time spent managing information and data to drive business innovations. But the key, of course, is to strategically and effectively manage the inherent security challenges.

BT is one of the world's leading providers of communications services and solutions, serving customers in more than 170 countries. Its principal activities include the provision of networked IT services globally; local, national and international telecommunications services to its customers for use at home, at work and on the move; broadband and Internet products and services and converged fixed/mobile products and services.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Scott Cain, chief architect, Customer Innovation and Portfolio, BT Global Services

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place