This is starting to change: infrastructure as a service (IaaS) giants such as Amazon and Microsoft are expanding their data centre footprints to multiple locations, allowing the information of regulated industries to be stored locally. At the same time, security controls and policies are helping firms take advantage of cloud software as a service (SaaS) applications such as Salesforce as they look to boost efficiency and collaboration.
Today, cloud is considered in some cases to be more secure than on premises solutions. However, the technology also adds security risks that must be considered. So how can companies stay secure while getting maximum benefit from cloud?
Before implementing cloud, companies and technology leaders need to understand the risks. It’s important to consider that as the amount of cyber-attacks increases, cloud is a target for criminals looking to steal data or infiltrate systems.
Indeed, cloud at an infrastructure level has been proven “to be an excellent transmitter of virus”, says Darren Thomson, CTO and VP, technology services at Symantec. “If one instance has a virus on it, it gets propagated really quickly because of the way these environments are scaling up and down.”
At the same time, misconfiguration can cause big problems, says Thomson: “People can configure things incorrectly or not patch an operating system properly, which makes it vulnerable.”
Cloud apps can complicate things further: users want to be more efficient, but this can lead to issues around ‘shadow IT’ as technology leaders lose track of the software being used inside their organisations.
Cloud security – who should take ownership?
Gary Marsden, Senior Director, Data Protection Services at Gemalto, explains who should be most responsible for protecting sensitive or confidential data in the cloud
A step-by-step approach to cloud security
Securing cloud can seem daunting and for this reason, experts advise a measured step-by-step approach. “I would look at risk management,” says Jayme Metcalfe, director, cyber risk services at Deloitte UK. For example: “What’s your intended use case of cloud services?
“There should be an end-to-end understanding before you do anything. This is where a lot of organisations fall down. They want to move to cloud but they don’t understand the business risk.”
And in fact, security can be a business enabler when applied constructively in advance of a migration to the cloud, says Richard Baker, security innovation architect, BT. “The challenge is how an organisation moving to the cloud balances the opportunity of flexibility and cost with the risk of the elements that they are giving away.”
He compares this to way consumers “sign up to things like Facebook and allow them to see certain things about themselves”, adding: “Organisations need to review their own posture and accept the risks. The crucial thing is to assess your risks and have a full understanding of where your data is.”
Top cloud security risks for healthcare
Darron Gibbard, chief technical security officer, Northern EMEA at Qualys agrees, saying: “It is important to understand IT assets. If you don’t know what you’ve got, how can you secure it?”
Taking this into account, Allan Brearley, cloud practice lead, ECS stresses that visibility is key in cloud deployment. “It’s important to know what data you actually have and what needs protecting. You should have a data inventory: this is not ‘nice to have’, it’s essential.”
Thomson agrees that firms need to assess data. He says a cloud access security broker (CASB) – software that sits between cloud and the users – can help: “It allows you to assess data going backwards and forwards and have visibility. But the downside is, we need to tell the CASB what to look at.”
Other considerations of cloud security
When using cloud IaaS, firms need to make sure their own software development takes into account the security requirements, says Elliot Rose, head of cyber security at PA Consulting. For example, he says: “How is it hosted; and who is hosting it? What are the level of controls?”
Another important consideration is the ‘shared responsibility model’ between provider and client. Under the model, Thomson explains: “The cloud provider is taking responsibility for the infrastructure, so the physical security of their data centre is their problem.
“They are also liable for network and infrastructure security, for example, if they are hacked. They sometimes take responsibility for the hypervisor itself, but they are not responsible for the customer’s data.”
The cloud security dilemma – secure or not secure?
Another consideration depends on the sector an organisation operates in. Different types of businesses will have varying data protection needs: a government or financial firm will have to adhere to more strict regulatory guidelines than a retailer for example. However, all firms have a responsibility to protect customer and user data under the EU Update to Data Protection Regulation (GDPR).
Rose says, there is now a “secure by design” approach driven by the regulation. He also points out an onus on users to “dig deep”, look down the supply chain and implement data impact assessments.
Meanwhile, Nigel Hawthorn, data privacy expert, McAfee points out: “If you are a data controller, you are still responsible for information, whichever data processor you might use and whoever you outsource it to – and that includes cloud.”
Securing cloud once seemed a huge task, but today multiple controls and protections can be applied. As part of this, employee buy-in is key: rather than blocking cloud apps or services, companies can train staff to use approved versions. On the technology side, experts advocate basic security controls such as encryption and two factor authentication.
In addition, Gibbard thinks it is important to have the right tool set including web scanning and patching. The latter is a “simple way to prevent cyber-attacks in any environment”, he says.
At the same time, continuous monitoring allows companies to track data in their environment, says Gibbard. He also advocates role-based access control and “making sure you have access to the right systems data”.
Once companies have got a handle on what they need to do security-wise, it’s time to start working out what will move to cloud. As Thomson warns: “No one has an infinite budget so putting everything into cloud and adding one security application on top is not realistic. All these things need to be assessed.”