Strategies for Cloud Security
In this article, Nubifer’s Research Team explores how to get started with cloud security. What are the bare essentials? How do you merge traditional controls with advanced technologies like DLP (Data Loss Prevention) and risk management? How will you convince auditors that your cloud projects are as secure as your on-premise ones?
Security Concerns Slowing Cloud Adoption
A recent Cloud Trends Report for 2011 found that the number of organizations that are prioritizing the move to cloud computing nearly doubled from 2009 (24%) to 2010 (44%). However, the study also found that cloud security is the number one obstacle to adoption. Of those surveyed, 26% cited security as their chief cloud concern, while 57% included security their top three.
However, a recent study commissioned by CA Technologies learned that, despite all of the concerns about security, roughly 50% of those embracing the cloud fail to properly evaluate providers for security prior to deployments. The study, Security of Cloud Computing Users: A Study of Practitioners in the US & Europe, discovered that IT practitioners vary wildly in their assessment of who is responsible for securing sensitive data in the cloud and how to go about it.
According to Chad Collins, CEO of Nubifer Inc., many CIO’s are projecting their own internal security weaknesses onto cloud providers. “When security is used as an excuse, often the fact is that CIO’s want to avoid examining themselves. If you don’t have a handle on governance, risk management and regulatory compliance internally, you’ll expose just how lacking your security is if you try to move to the cloud.”
Determining a Cloud Security Plan
Even if many organizations lack the intestinal fortitude to scrutinize their own (possibly deficient) security practices, there are still plenty of valid cloud security fears. Transferring the responsibility of protecting sensitive data to a third party is hair-raising, especially in an industry that has to comply with regulations such as HIPAA, SOX or PCI DSS. Throw in hypervisor vulnerabilities, DDoS attacks, application-level malware and other problems, and the line between rationalizations and legitimate worries is blurred.
Cloud risks still involve many unknowns, so formulating a comprehensive cloud strategy is a must. But if you don’t have some sort of workable plan in place, will you be prepared to adapt and improvise as conditions change?
Your CFO or comptroller is your biggest risk for financial applications and data. Your head of HR needs to be properly managed to ensure that leaky personnel files don’t come back to haunt you. And, of course, the biggest risk of all is your CEO.
Attackers know this, which is why C-level executives are constantly targets of so-called “whaling attacks,” such as the CEO subpoena phishing scam.
Privileged users can also be the most difficult to secure, though, because they will often veto any security control they don’t like. After all, these are the bosses. Thus, it’s not going to be easy to put a blanket ban on riskier devices, such as smartphones or tablets, so you’d better have a Plan B. Instead of banning the devices, you can establish proper authentication, access control and identity enforcement to ensure that your privileged users are at least who they say they are.
A plan to protect your most privileged users has the added benefit of providing you with an overall cloud security roadmap. Are remote-user risks a concern? Your most privileged users will probably want remote access. How about data loss protection? Your privileged users have more rights to more data than anyone else. What about securing mobile devices? Your CEO probably has several of them.
Moving from internal controls to third-party evaluation
As you move from evaluating yourself to evaluating potential cloud vendors, don’t forget to investigate how far cloud services have already spread into your organization. Has your sales team signed up for Salesforce.com? Are your project managers using Basecamp? Has HR invested in Taleo?
As name brand cloud/SaaS providers, Microsoft, Salesforce.com and Google all have solid reputations. Getting those projects to conform with internal security controls shouldn’t be an issue. You’ll want to vet others, though, and make sure they aren’t fly-by-night providers that don’t take the time to properly secure their environments.
After your internal controls are in place, get out of the data center business and start shifting resources into private clouds.
Finally, as licenses expire and as upgrade cycles hit, you’ll be in position to knowledgeably and safely begin scrutinizing the public cloud vendors you’ll begin to trust with your mission-critical resources.
Effective security involves policies, technology and operational controls. Yes, you can drill down – way down – within those three categories, but those are the general areas. “If you focus on the bookends when evaluating vendors, you should learn a lot about how they will handle your data,” Collins said.
Those bookends are governance on one end, or how will data be managed and secured; and auditing on the other end, or how do providers prove they’re doing everything they claim to be doing?
Following that advice will get you started. For more information on formulating a Cloud Security strategy visit Nubifer.com.
No trackbacks yet.