Enterprise cloud deployments will likely double in the next two years, but your enterprise probably makes more extensive use of the cloud than is easily visible. Securing these deployments is critical.
“Maintaining established levels of security is more complex than in a traditional IT environment, where security was often based around securing physical devices to secure the data,” warns 451 Research in the Breaking Through The Barriers to Cloud Adoption report commissioned by Orange Business Services.
Cyber-attacks on enterprises are a very real threat. The most recent PwC Global State of Information Security report reveals 69 percent of UK companies experienced a cyber-security incident in the past 12 months. Some attacks have financial consequences.
Attempts to subvert enterprise IT systems have grown incredibly sophisticated. There are three broad forms of threat:
· Extrinsic threats include cybercriminals attacking your systems or those of key partners; poor security procedures at unsecured endpoints outside your control.
· Internal threats may come from disloyal employees, poor security protocols or uncontrolled storage of data on public cloud services.
· Operational threats to data integrity may include problems with data lock-in when migrating between CSPs, or the challenge of migrating data to new systems when CSPs cease trading.
Traditional CIA (Confidentiality, Integrity, Availability) data analysis should help guide your security priorities. Given limited resources it makes economic sense to focus security efforts on protecting your most valuable, confidential or business-critical data first. This delivers better ROI and usability.
The geographical location of your data also poses problems: what data protection regulations protect your data where it is stored and in transit? What impact does this have on your security and regulatory burden?
The Cloud Security Alliance’s Cloud Control Matrix provides a host of resources designed to help enterprises effectively assess providers. At the very least enterprises should insist communication service providers (CSP) prove they meet existing security standards such as ISO 27001 or the Cloud Security Alliance (CSA) STAR certification scheme. These ensure your data is kept securely while it is on your CSPs servers, protecting you against attacks against your supplier’s systems.
It is essential to secure all parts of the cloud infrastructure and supply chain, including partners who may support your CSP. You must monitor for security threats against any and all parties within your private, public or hybrid cloud ecosystem.
Wherever your data is situated, or wherever it goes in transit, you can enhance protection by encrypting all data transmissions, including the encryption of data held on server. Tokens add an additional layer of protection. This makes it much harder for cyber-criminals to make sense of any data they manage to purloin at any step on the journey between your systems and servers.
designing a security policy
You can help protect yourself against internal security vulnerabilities by developing data and security protocols that define when, where and how data can be accessed and/or used, and by whom.
Mobile device management (MDM) will help you implement such policy, particularly with BYOD-authorized employees. You must manage your more traditional endpoints – PCs, devices, servers and other equipment.
Security updates must be punctually applied to all systems that support your cloud, including the little-used server in the most remote part of your server farm. Those system updates are critical – you don’t want an unpatched server providing a back door through which criminals can access your systems.
Implement 24/7 security scanning and protection of your network and IT infrastructure. Weave real-time monitoring of data and proactive evaluation of applications to help quickly identify and respond to threats.
Identity and access management helps ensure access to your data is defined by user and need – a low level employee should not have access to your most critical information. If a rogue employee attempt to undermine security, these systems will provide evidence to show where the blame sits.
The main priority is to think ahead. A rehearsed disaster recovery plan means you will know what to do in the event a security problem is identified. This enables rapid and effective response to any security incident, rather than panic-induced phone calls between stakeholders when key decision makers may be travelling or otherwise unavailable.
Users are the weakest point in any cloud security system. Even where key security policy exists, employees won’t necessarily follow it unless they understand why it exists. It makes sense to educate employees as to the risks and encourage them to follow such basic security practices as:
· Avoid using public Wi-Fi to access key systems
· Never use the same password twice
Ultimately, successful cloud deployment requires you protect against a variety of threats, but if you follow good practice then the cloud is secure as any other IT environment.
Visit Orange Private Cloud Solutions to find out more about secure cloud services.
Jon Evans is highly experienced technology journalist and editor. He has been writing for a living since 1994. These days you might read his daily regular Computerworld AppleHolic and opinion columns. Jon is also technology editor for men’s interest magazine, Calibre Quarterly, and news editor for MacFormat magazine, which is the biggest UK Mac title. He's really interested in the impact of technology on the creative spark at the heart of the human experience. In 2010 he won an American Society of Business Publication Editors (Azbee) Award for his work at Computerworld.