Few now question the benefits that can be realized from cloud through greater business agility, rapid scalability of services and reduced costs. Security however consistently rates as the major concern for enterprises adopting cloud-based services.
Frequent stories of hackers, organized cyber criminals and state-sponsored attackers not only play into these concerns of information loss, but also possible sabotaging in which sophisticated methods are used to target potential victims.
The challenge for those wanting to reap the efficiency and cost benefits of cloud is to find new ways of protecting their physical and virtual assets -- and that requires a whole-of-enterprise approach.
Cloud security begins at home
Evaluating and managing the security risks must be top of mind for organizations wanting to make a successful transition to cloud.
The various deployment models -- public, private and hybrid -- each have their own security vulnerabilities and risks. And these increase depending on the range of potentially unidentified users.
While the challenges are real, working methodically from the inside out provides the key. CIOs and CSIOs must focus on securing their own enterprise's use of cloud-based services rather than on whether the cloud, in general, is secure. Ironically, the key to cloud security begins at home.
There are essentially five key areas that need to be considered:
Cloud access devices -- Users access the cloud from a wide range of devices, including desktop computers, laptops, PDAs, mobile phones, smart phones and tablet PCs. A growing trend blurs the border between personal and business computing devices, making it increasingly difficult for organizations to control security.
The cloud platform -- Future enterprise clouds are likely to be hybrid systems combining both physical and virtualized IT resources, all of which must be equipped with security. This includes malware and data protection measures, as well as network and host security solutions.
Identity and access management -- The security ecosystem may not be entirely under your control in the cloud, so proper security provisioning, governance and management tooling must be in place for reporting and to check for breaches. Outsourcing is an option for those unwilling to manage their own security, identity and access management systems.
Security and compliance management -- In the cloud, this requires more than just security products -- you must also have security-minded people and processes to ensure that the environment operates securely.
Cloud stakeholders -- There are essentially three categories of stakeholders who interact with the cloud, and each has distinct security attributes:
- Consumers, who might be individuals or people linked to an organization.
- Service personnel responsible for delivering cloud security.
- Service governance stakeholders who set the overall security levels to meet audit and compliance requirements.
Four steps to a safe cloud deployment
The traditional perimeter barrier to IT security is no longer effective in a complex cloud environment which has no clearly identifiable boundaries. While technical answers are only part of the solution, a well-rounded program is needed with total business involvement. Security must be incorporated into business and data processes throughout the enterprise -- and not just on the perimeter or in the cloud.
There are four broad steps that organizations should follow when developing their cloud security defense:
Step 1: A risk-based approach
Establishing an approach based on the perceived risks is essential for organizations preparing to move applications and data to the cloud. Any review of the potential risks must be undertaken from a viewpoint of how it affects the entire enterprise.
Organizations need to be proactive in identifying issues and finding the correct balance between securing and enabling business activities.
There are four main components to a risk-based methodology:
- Assess the various levels of risk from a compliance and operational viewpoint.
- Address security issues in order of priority.
- Continually monitor and improve the security environment.
- Only use proven security technologies and flexible sourcing models for security transformation programs.
Step 2: Secure design applications
Most applications are not designed to run in a potentially hostile environment.
CIOs must therefore ensure that all data and applications are thoroughly reviewed and amended before they are deployed on a cloud platform.
The aim is to make them self-defending, which requires new strategies from developers to application development and data management. They need to focus on protecting information to ensure confidentiality, integrity and availability.
Preferably, architect security should be addressed during the requirements and design phases of a new system with security measures, access control and encryption built-in at a fine-grained level.
Step 3: Ongoing auditing and management
Continuous compliance monitoring must be in place for the secure delivery of cloud services. Traditional regimes of monthly or annual audits are meaningless in an environment that is constantly changing.
To enable forensic examination and analysis in the event of a security breach, there needs to be ongoing monitoring and maintenance of incident records and log files.
This information must be available in real time to facilitate rapid response, notification and containment measures.
Step 4: Infrastructure and network security
When using a cloud-based service, an enterprise has minimal direct control over infrastructure and network security, including operational procedures, network configuration and intrusion prevention.
These are all critical areas, so it is important that the user undertakes a thorough review of the service provider's policies as part of the due diligence process during contract negotiation and service sourcing.
Look at other options if they fail to meet appropriate standards.
A whole-of-enterprise approach
Issues of security should not be a reason for enterprises delaying their entry into cloud.
The security risks are real but they can be managed if a whole-of-enterprise program is adopted. It is not about securing the cloud -- it is about securing an enterprise's use of cloud-based services.
In summary, organizations should:
- Establish a risk-based approach to assess the viability of the cloud services.
- Design applications to run in the cloud.
- Undertake ongoing auditing and management.
- Assess the security measures of cloud service providers.
Cloud is fast-moving and the opportunities are significant for businesses that plan a secure route.
John Maynard is general manager and strategy development director of HP Asia Pacific and Japan's enterprise security service