Securing your data in the cloud

Enterprises looking to use public cloud computing services should take a multilayered approach to security, reports Hamish Barwick

Public cloud may be able deliver greater agility to enterprises, but it can also complicate the already fraught information security landscape. And according to a Ponemon Institute report issued this month, cloud may mean that when security breaches do happen, the cost could be significantly higher.

However, the cloud needn't to be a criminal’s paradise if IT managers draw up a contingency plan before placing data into a cloud environment and use a multilayered approach to security.

Speaking last month at the Gartner IT Infrastructure Operations and Data Centre Summit in Sydney, the analyst firm’s research director, Michael Warrilow, told delegates that they are not going to get a “perfect risk assessment” when looking at cloud computing.

“In terms of cloud services, it’s around getting what information you can and making the decision. If you wait for the perfect [risk assessment] information, you’ll be waiting forever. The business would have gone past you and purchased cloud services,” he said.

“If something goes wrong, there is a bad sentiment in the organisation towards cloud computing and you [the IT manager] will get blamed for it anyway.”

According to Warrilow, some organisations he talks to are trying to find the “ultimate secure cloud provider”.

“I’ve got on calls with [Gartner] clients who have said that they’re going to use a public cloud and the public cloud provider is going to do my first level support.”

However, Warrilow warned that enterprises will not get that type of support from a public cloud provider. He advised people using public cloud to add a layer of managed services support from a specialist provider.

According to Chris Grant, managing director of consulting firm Protiviti, the growth in mobile e-commerce and move to public cloud computing could open up “a whole new world” of security vulnerabilities.

“According to Gartner research, almost 300 billion mobile transactions worth US$930 billion were processed in 2013, By 2016 more than half of the world’s top 1000 companies will be storing sensitive customer data in the cloud”,” he said.

Grant added that Australian businesses have a “poor record” in resisting cyber-attacks.

Citing figures in the Ponemon Institute's <i>2013 Cost of Data Breach Study</i>, he pointed out that during 2013 Australian companies had data breaches that resulted in the highest average number of compromised records per capita with 34,249 breaches recorded.

“Australia also ranked second after Germany, on the list of countries most likely to experience a data breach from malicious or criminal attack – the most costly breach category for companies,” said Grant.

Despite these threats, many businesses remain “dangerously complacent” about their exposures and continue to seriously under-invest in IT security, he said.

According to Grant, Australian companies allocate 1-2 per cent of their IT budget to security.

“We recommend a minimum spend of at least 2-7 per cent on IT security, depending on factors such as regulatory requirements and individual risk factors.”

Defending the cloud

According to Warrilow, encryption is not a “magic bullet” but a strong weapon to have in the cloud security arsenal.

“Don’t assume encryption is going to be everything,” he said. “It is going to be the focus of the legal testing and precedent whether the use of encryption can justify off-premise storage of data.”

Warrilow advised that IT managers need to work with business managers to make sure they are not making bad security decisions.

“Bring them [business managers] in and make it easy for them to work with you rather than without you. Ultimately we believe that IT management will be the broker of [IT] services. For the foreseeable future it is going to be the provider and the broker.”

Protiviti's Grant suggested that IT managers use a 'defence in depth approach' involving multiple IT security measures to protect assets.

“Because the source of a cyber-attack can be unpredictable, you need to be set up so if one security measure is infiltrated there are fall-backs that can continue to hold the fort,” he said.

“Those integrated measures must protect the business on all essential fronts. These include having robust server and application security which should include a clear policy for when it’s appropriate to use the cloud.”

Encryption can help ensure that communications between transacting parties are private and not able to be tampered with.

“Sound audit controls should also be implemented so that breaches or other unauthorised activities can be quickly detected. And lastly, payment processing and settlements need to be secure and compliant with the Payment Card Industry Security Standards [PCISS] which protect against credit card fraud.”

To cloud or not to cloud?

More than half the 145 Australian IT professionals surveyed by Gartner in December cited security and privacy in the public cloud as top concerns.

Of the 55 per cent who indicated security and privacy were top of mind when it came to cloud, 19 per cent said they were concerned about lack of visibility into who is accessing data and applications. 12 per cent of respondents said they had a lack of confidence in the cloud provider’s security capabilities, and 8 per cent said there was unclear liability if there is an attack or loss of data.

An additional 8 per cent said that clouds are attractive targets for hackers as they concentrate risk.

However, Warrilow said that many of these concerns are “emotive” and security managers who try to block the use of public cloud services without balancing business priorities are causing “missed opportunities” and potentially unnecessary security expenditures.

“Don’t let your security people scare you into missing opportunities Cloud security ecosystems such as cloud management platforms, security as a service, secure Web gateway and cloud access security brokers will address these issues,” he said.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the CSO newsletter!

Error: Please check your email address.

Tags Securing your data in the cloudProtivitiGartnercloud securitycloud computing

More about Gartner

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Hamish Barwick

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place