Achieving security in the cloud

Few now question the benefits that can be realized from cloud through greater business agility, rapid scalability of services and reduced costs. Security however consistently rates as the major concern for enterprises adopting cloud-based services.

Frequent stories of hackers, organized cyber criminals and state-sponsored attackers not only play into these concerns of information loss, but also possible sabotaging in which sophisticated methods are used to target potential victims.

The challenge for those wanting to reap the efficiency and cost benefits of cloud is to find new ways of protecting their physical and virtual assets -- and that requires a whole-of-enterprise approach.

Cloud security begins at home

Evaluating and managing the security risks must be top of mind for organizations wanting to make a successful transition to cloud.

The various deployment models -- public, private and hybrid -- each have their own security vulnerabilities and risks. And these increase depending on the range of potentially unidentified users.

While the challenges are real, working methodically from the inside out provides the key. CIOs and CSIOs must focus on securing their own enterprise's use of cloud-based services rather than on whether the cloud, in general, is secure. Ironically, the key to cloud security begins at home.

There are essentially five key areas that need to be considered:

Cloud access devices -- Users access the cloud from a wide range of devices, including desktop computers, laptops, PDAs, mobile phones, smart phones and tablet PCs. A growing trend blurs the border between personal and business computing devices, making it increasingly difficult for organizations to control security.

The cloud platform -- Future enterprise clouds are likely to be hybrid systems combining both physical and virtualized IT resources, all of which must be equipped with security. This includes malware and data protection measures, as well as network and host security solutions.

Identity and access management -- The security ecosystem may not be entirely under your control in the cloud, so proper security provisioning, governance and management tooling must be in place for reporting and to check for breaches. Outsourcing is an option for those unwilling to manage their own security, identity and access management systems.

Security and compliance management -- In the cloud, this requires more than just security products -- you must also have security-minded people and processes to ensure that the environment operates securely.

Cloud stakeholders -- There are essentially three categories of stakeholders who interact with the cloud, and each has distinct security attributes:

  • Consumers, who might be individuals or people linked to an organization.
  • Service personnel responsible for delivering cloud security.
  • Service governance stakeholders who set the overall security levels to meet audit and compliance requirements.

Four steps to a safe cloud deployment

The traditional perimeter barrier to IT security is no longer effective in a complex cloud environment which has no clearly identifiable boundaries. While technical answers are only part of the solution, a well-rounded program is needed with total business involvement. Security must be incorporated into business and data processes throughout the enterprise -- and not just on the perimeter or in the cloud.

There are four broad steps that organizations should follow when developing their cloud security defense:

Step 1: A risk-based approach

Establishing an approach based on the perceived risks is essential for organizations preparing to move applications and data to the cloud. Any review of the potential risks must be undertaken from a viewpoint of how it affects the entire enterprise.

Organizations need to be proactive in identifying issues and finding the correct balance between securing and enabling business activities.

There are four main components to a risk-based methodology:

  • Assess the various levels of risk from a compliance and operational viewpoint.
  • Address security issues in order of priority.
  • Continually monitor and improve the security environment.
  • Only use proven security technologies and flexible sourcing models for security transformation programs.

Step 2: Secure design applications

Most applications are not designed to run in a potentially hostile environment.

CIOs must therefore ensure that all data and applications are thoroughly reviewed and amended before they are deployed on a cloud platform.

The aim is to make them self-defending, which requires new strategies from developers to application development and data management. They need to focus on protecting information to ensure confidentiality, integrity and availability.

Preferably, architect security should be addressed during the requirements and design phases of a new system with security measures, access control and encryption built-in at a fine-grained level.

Step 3: Ongoing auditing and management

Continuous compliance monitoring must be in place for the secure delivery of cloud services. Traditional regimes of monthly or annual audits are meaningless in an environment that is constantly changing.

To enable forensic examination and analysis in the event of a security breach, there needs to be ongoing monitoring and maintenance of incident records and log files.

This information must be available in real time to facilitate rapid response, notification and containment measures.

Step 4: Infrastructure and network security

When using a cloud-based service, an enterprise has minimal direct control over infrastructure and network security, including operational procedures, network configuration and intrusion prevention.

These are all critical areas, so it is important that the user undertakes a thorough review of the service provider's policies as part of the due diligence process during contract negotiation and service sourcing.

Look at other options if they fail to meet appropriate standards.

A whole-of-enterprise approach

Issues of security should not be a reason for enterprises delaying their entry into cloud.

The security risks are real but they can be managed if a whole-of-enterprise program is adopted. It is not about securing the cloud -- it is about securing an enterprise's use of cloud-based services.

In summary, organizations should:

  • Establish a risk-based approach to assess the viability of the cloud services.
  • Design applications to run in the cloud.
  • Undertake ongoing auditing and management.
  • Assess the security measures of cloud service providers.

Cloud is fast-moving and the opportunities are significant for businesses that plan a secure route.

John Maynard is general manager and strategy development director of HP Asia Pacific and Japan's enterprise security service

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about HP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Maynard, HP

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts