Securing the cloud: reducing risk with a holistic approach
Cloud computing has firmly entered the enterprise mainstream, delivering numerous benefits in terms of agility by allowing access to computing power from anywhere and on-demand. But does handing enterprise data to cloud providers increase or decrease security risks?
It’s clear that cloud computing providers are a target for hackers and malicious attacks. Like banks attract bank robbers, cloud computing providers hold riches that can profit cyber criminals. So it is little surprise that application attacks on clouds increased by 45 percent in 2014 – alongside a rise of 36 percent in suspicious incidents such as attempts to scan infrastructure. As a consequence of this perhaps, Rightscale’s survey on the State Of Cloud in 2015 found that 41 percent of IT departments rated cloud security as a significant challenge.
But of course the cloud isn’t the only area of IT that suffers from security attacks. In fact most of the major breaches in the last 12 months have not involved cloud services at all. Indeed, analyst Ovum suggests that continued security breaches might push further enterprise cloud adoption. The fundamental problem facing enterprises are the growing number of security risks coupled with a shortage of security staff globally. A recent Frost & Sullivan survey found that 62 percent of enterprises had too few information security professionals, up from 56 percent in the 2013 survey.
So to some enterprises, pushing applications into the cloud allows them to take advantage of the security capability of their cloud provider. On the whole they are happy with the result: an IDG survey found that 74 percent of enterprises were confident with the security of the information assets in the cloud.
However, using a cloud provider doesn’t mean that enterprises can completely outsource their security responsibilities. According the same Frost & Sullivan survey, 73 percent of respondents were looking at developing a number of new skills relevant to cloud computing, including: application of security controls to cloud environments (66 percent), knowledge of risks, vulnerabilities and threats (65 percent), enhanced understanding of security guidelines (62 percent) and risk management (59 percent).
Best practices in cloud security
So what security threats do enterprises and their cloud service providers face? The Cloud Security Alliance (CSA), a body that focuses on best practices to help organizations enjoy a secure cloud computing environment and experience, defines nine core threats to cloud security. These are data breach, data loss, account or service traffic hijacking, insecure interfaces and APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence and shared technology vulnerabilities.
Mitigating these threats requires best security practices at all stakeholders: cloud provider, enterprise and end-user. For example, in addition to the cloud provider’s security controls, users need to practice good password management for access to cloud applications and enterprises need mobile device management to wipe confidential data from lost devices.
This message is perhaps not getting across clearly, because a recent survey of both IT and non-IT enterprise executives found that less than 16 percent consider cloud security a shared responsibility. Some 31 percent said that it is up to the cloud provider to keep apps and data safe and 20 percent place the onus on end-users.
Think best practices
Ultimately, ensuring security within the cloud requires that all stakeholders focus on best practices. The nine core threats outlined by the CSA can help enterprises formulate policies that keep data safe, while working with an expert cloud provider to maximize data safekeeping.
At policy level, think access management and ensure strong password procedures are in place to mitigate end-user vulnerability. A patch management process to keep an environment secure with the very latest updates is also advisable, while data logging and analysis also helps identify potential weak points and patterns.
With this in mind, migrating to the cloud ultimately means having trust in your cloud provider. Any organization wanting to house sensitive data in the cloud needs to consider private, hybrid and virtual private cloud offerings, and cloud providers are there to know what a company needs most – and have the necessary security processes and staff in place to provide protection.
Find out more about Orange Business Services cloud solutions that are hosted in state-of-the-art cloud-ready data centers, ensuring world class levels of service and security.