This article featured in a CISO MAG’s edition.
Contributed by Akamai Technologies.
As more and more companies begin to comprehend the benefits of cloud computing, its adoption is probably highest than ever before. According to the research done by Intel security, in 2016, hybrid cloud adoption has increased by three times within the organizations surveyed. The same set of organizations predicted that in the next 15 months, around 80% of all information technology (IT) budgets will be dedicated towards cloud solutions. As the cloud foothold expands globally, so does the attack surface. With more organizations showing trust in cloud technology, security still features as a top challenge that they would face.
Many studies and research conducted across the years focus on understanding the true nature of threats that target cloud infrastructure. If you pay close attention to these, you will realize that cloud is hardly the target, it is what lies within. That is your data and applications. This is not a new problem, this has and will always exist.
As more and more sensitive data moves to the cloud every day, we seldom realize that with disappearing boundaries appear new privacy and data protection laws. Interfaces and APIs, shared technology and multi-tenancy nature, identity management, lack of adequate encryption, etc., are some issues that have featured long in the list. Compliance is an ongoing concern for top executives, security practices of cloud service providers (CSPs) are often reviewed on papers but rarely audited by experts. Market prominence and word of mouth publicity play an influencing role in choosing the cloud vendor and most often flexibility and cost are given preference over security. Technical measures alone aren’t subnormal.
Legal contracts need to evolve for cloud nuances and risks as well. One of the factors that has been constantly undermined but more prevalent now is the lack of skilled security resources. Many organizations delay moving to cloud due to lack of appropriately skilled cybersecurity workforce. In-house IT teams aren’t equipped with the right tools and knowledge to fight newer battles on newer grounds.
Conventional security practices don’t hold good as your perimeter now extends beyond your sight. While cloud expands the attack surface and overall risks, organizations must truly understand that as business owners, they are still responsible to ensure that risks are addressed. It is essential not only to embrace cloud for business but also for security, it must become an integral part of the organizational security culture. Unfortunately, many organizations either don’t cover cloud as part of their security policy or have merely listed it. Like any other aspect of security, cloud security continues to limp without the right support of necessary governance practices. The prudent man rule applies to us more than ever. We are responsible and accountable for the security of our businesses, whether in cloud or within company premises.
Good news is that there is a silver lining behind the cloud. As the trust and mindset matures, security practices and awareness have grown as well. Many organizations worldwide actively carry out and participate in raising the cloud security awareness as well as standardizing the best practices to adopt for securing the cloud computing environment. Security executives should pay close attention to the following:
Security policy and governance framework: establish strategy and practices to support cloud security.
Empower security practitioners to be decision makers for cloud resources.
Audit the security controls: Don’t rely on the proof of cloud vendor’s security measures alone, have experts test and audit it. Third-party assessment is usually more beneficial. Audit them regularly.
Invest in building security skills: Train right and hire right. Many organizations now find managed security services as a valuable option to bridge the security skill gap by letting experts handle their security.
Redefine technical measures: Implement more robust technical measures such as storing encryption keys separately in the hardware. Companies like Akamai have pioneered this by building and securing separate key management infrastructure.
Focus on sensitive data: It is your priceless possession. Classify it and clearly define roles and accountability for safeguarding sensitive information stored in the cloud.
Insure your legal rights: Have the right legal and contractual clauses especially designed for cloud infrastructure. Ensure that it covers clauses regarding data security and privacy compliance.
Invest in the right tools: Beat the cloud with the cloud and not a sickle. A number of organizations find cloud security solutions to be effective, scalable and beneficial to their businesses. Costs should not be a challenge in the long run.
Redefine traditional risk assessment: Generic or traditional risk assessment frameworks have proven to be partially effective for cloud deployments. Risk assessment should consider cloud as an integral asset.
According to Gartner, 2017 will see a growth of 18% in the worldwide public cloud services. The expansion is inevitable and as security professionals, we all need to be ready for a rainy day. Do your due diligence, trust the cloud and carry your umbrella.