Cyber security has been a fixture of conversations about cloud computing ever since the latter began entering the mainstream with the launch of Salesforce.com in 1999 and Amazon Web Services in 2002. This constant attention to the risks that cloud may introduce into IT environments is merited. Having critical infrastructure managed off-site and important software updates handled by third-parties are both big changes from the traditional practices of on-premises IT. Some degree of control has been lost. The only question is whether cloud-based assets are in good hands and protected by adequate security practices.
What is the basis for effective cloud security?
To figure out how enterprises can best ensure cloud security, we need to know what concerns their teams have when considering and/or implementing cloud solutions (e.g., anything from AWS instances for devtest to software-as-a-service applications such as Slack). The results of the IDG Enterprise 2014 Enterprise Cloud Computing Survey, focused on public cloud in particular, provided some helpful information here:
- More than half of the study’s subjects were uncertain about a cloud service provider’s ability to enforce security policies. Similarly, 44 percent worried about not being able to audit their CSPs.
- Forty-five percent cited access over untrusted networks as a potential issue with public cloud.
- A similar percentage identified “questionable privileged access controls” as a significant potential issue with public clouds.
It is important to note that many organizations are only getting started with cloud, which could explain some of the anxiety about what new approaches to infrastructure, platforms and software may entail. The same survey discovered that 56 percent of respondents were still identifying possible opportunities for upgrading legacy IT infrastructure and operations to cloud hosting.
The main drivers of cloud migration strategies have been the desire for business agility and innovation, as well as cost reduction. However, many of these wished-for gains cannot be attained without a practical cyber security strategy. After all, the average data breach now costs an enterprise a few million dollars, and an exceptional incident – think the one involving Target in 2013 and Sony Pictures in 2014 – can turn into a prolonged drag on reputation as well as income.
In coming to terms with cloud security, it is important to understand the relationship between the customer and the CSP and how the two of them can work together to minimize risk. Many of the concerns aired in the IDG survey pertain to uncertainty about how different assets in the cloud – e.g., networks and access control mechanisms – are stewarded by the provider. So any effective cloud security strategy is going to require:
- A firm grasp, on both sides, of the terms of the service-level agreement, including which party takes responsibility for protecting data in specific contexts.
- Strong password management and identity controls, including complex login credentials and possibly two-factor authentication to thwart unauthorized access.
- Proper endpoint protection, so that otherwise secure infrastructure and delivery channels are not compromised by wide-open devices without security software.
Once we look at it this way, cloud security seems much less mystifying than it is sometimes made out to be. Working on the first of the three above requirements, though, can prove challenging, though. Let’s look at what enterprises should know about their CSPs.
Cloud service providers can make or break cyber security for their customers
Perhaps the most distinctive feature of cloud security is the lack of comprehensive control that is present in the realm of strictly on-premises IT. Just as data stored on a piece of paper locked in a vault could be seen as more secure than a spreadsheet – with the same entries in it – stored on a remote server, having all of your data close to the vest (or more accurately, on your own machines) can be readily viewed as a preferable option to entrusting it to someone else.
Writing for diginomica, Infor COO Pam Murphy outlined how this loss of control and other factors contribute to “cloud paranoia.” There is always the possibility that something could go wrong, from a data center outage to missing information.
“Of course, Internet exposure is only one part of cloud paranoia,” explained Murphy. “Even if your data is locked up tighter than Fort Knox, what happens to your apps and data if there’s a catastrophic failure at your cloud provider’s data center? Many companies are legitimately concerned that if a cloud provider’s data center goes down, so will their business. Even just a small amount of downtime can result in lost productivity, revenue – and customers. And what about lost data?”
However, the cloud can be safer than the alternatives, as long as the cloud service provider is serious about security. Murphy went on to note that the widespread use of practices such as high availability – i.e., distributing apps and instances across many geographically dispersed facilities, so as to minimize the risk of a natural disaster or electrical failure – can secure cloud-stored data to a degree that many enterprises could not achieve on their own.
Setting up shop mostly or even entirely in the cloud, with a combination of SaaS and infrastructure-as-a-service, may be an option for startups and relatively young organizations that have very few if any legacy assets. For many mature enterprises, though, the cloud may be something that supplements existing infrastructure and serves only specific purposes such as supporting a particular application or facilitating capacity bursting as needed. Plus, these organizations may be subject to rules and regulations that limit their potential exposure to the cloud.
For these reasons, enterprises often have to combine thorough vetting of CSPs – especially any security practices, good or bad – with their own tools and practices. Endpoint security, as we mentioned earlier, is a key component in this mix, as is password security. The cloud is ultimately quite nebulous, involving faraway infrastructure as well as locally stored clients that access applications on those same servers. Security in this environment will require internal as well as external due diligence.