Managing IT Security in the Cloud
7 Things to Consider, Part 1
There are many inherent benefits in leveraging the public cloud, such as infrastructure agility, scalability, cost-efficiency, and in many cases, performance. In the past couple of years we’ve seen that companies, from small to large enterprises, which have significant footprint in the traditional data center more willing to adopt cloud infrastructure and migrate critical workloads onto cloud infrastructures. Even with these benefits, many of our clients and prospective clients are still hesitant to go “all-in” on public cloud due to concerns around security and visibility. All enterprises, whether a born-in-the-cloud company or a traditional enterprise, should consider 7 things when managing IT security in the cloud:
1. Align Cloud Security of Your Organization to SLAs and Business Objectives
There are many security products and solutions out there in the marketplace that can help secure data, applications, OS, and network configurations in the cloud. Instead of just chasing after the shiny objects, it is important that you vet the right ones that are truly aligned with your SLAs and business objectives. Organizations should understand and document current critical business metrics and how they will change when operations go into the cloud — and figure out how cloud security solutions could help uphold these metrics of success. Of course, effective governance, risk, and compliance processes (internal audits) should also exist before bringing on new solutions.
2. Disaster Management
A good security solution should not just simply detect potential threats and block attacks. It should also have disaster management capabilities (or align with your existing DR strategy) to recover any lost data and track origin of the attack for subsequent investigation. One of the most widely employed disaster management strategies is secondary data back-up centers detached from their respective primary servers. Therefore, only the primary servers are affected in case of an attack. Companies should conduct periodic exercises for this and plan for proper steps that can be taken to ensure business continuity in the event of a significant breach.
3. Risk Management
Similar to securing a traditional data center (on-premise), in a cloud-based setting you also need to fully grasp all the major risks your company data face by conducting a comprehensive threat assessment. What type of data do you handle, process, and store? Which is the most sensitive part of your data, which if leaked, would result in negative publicity and impact on the bottom-line? It’s important to keep in mind that certifications and accreditations (PCI, HIPAA, ISO, SOC, etc.) for cloud providers don’t mean that you’re assured compliance—it’s ultimately your responsibility to encrypt and secure your own data. Encryption keys should also be protected in a robust manner.
In my next blog, we will look at the final 4 areas to consider with IT Security in the Cloud. Stay Tuned!
CMI – Your Adaptable Data Center Company
I agree that “Similar to securing a traditional data center (on-premise), in a cloud-based setting you also need to fully grasp all the major risks your company data face.” A new study, related to security for the mix of environments, by the SANS Institute reported that “fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use,” and “fewer than a third of organizations have a strategy in place to tailor security requirements to the mix of environments they use.”
The study reported that “75 percent of organizations utilize identity and access management tools on premises, only 31 percent use it in the cloud,” and “63 percent of organizations use a SIEM to track security events across traditional data center assets, just 25 percent do the same with cloud assets.”
I agree that “It’s important to keep in mind that certifications and accreditations (PCI, HIPAA, ISO, SOC, etc.) for cloud providers don’t mean that you’re assured compliance—it’s ultimately your responsibility to encrypt and secure your own data. Encryption keys should also be protected in a robust manner.”
Recent guidance from Gartner is recommending to “understand when data appears in clear text, where keys are made available and stored, and who has access to the keys,” and recommending to “apply encryption or tokenization.”
Amazon published “Introduction to AWS Security by Design” in October 2015 and recommends to “Encrypt your data or objects when they’re stored in the cloud, either by encrypting automatically on the cloud side, or on the client side before you upload it.” A recent Gartner report concluded that “Cloud Data Protection Gateways” provides a “High Benefit Rating” and “offer a way to secure sensitive enterprise data and files.”
Ulf Mattsson, CTO Protegrity