Few now question the benefits that can be realised from cloud through greater business agility, rapid scalability of services and reduced costs. Security however consistently rates as the major concern for enterprises adopting cloud-based services.
Frequent stories of hackers, organised cyber criminals and state-sponsored attackers not only play into these concerns of information loss, but also possible sabotaging in which sophisticated methods are used to target potential victims.
The challenge for those wanting to reap the efficiency and cost benefits of cloud is to find new ways of protecting their physical and virtual assets — and that requires a whole-of-enterprise approach.
Cloud security begins at home
Evaluating and managing the security risks must be top of mind for organisations wanting to make a successful transition to cloud.
The various deployment models — public, private and hybrid — each have their own security vulnerabilities and risks. And these increase depending on the range of potentially unidentified users.
While the challenges are real, working methodically from the inside out provides the key. CIOs and CSIOs must focus on securing their own enterprise's use of cloud-based services rather than on whether the cloud, in general, is secure. Ironically, the key to cloud security begins at home.
There are essentially five key areas that need to be considered:
Cloud access devices — Users access the cloud from a wide range of devices, including desktop computers, laptops, PDAs, mobile phones, smart phones and tablet PCs. A growing trend blurs the border between personal and business computing devices, making it increasingly difficult for organisations to control security.
The cloud platform — Future enterprise clouds are likely to be hybrid systems combining both physical and virtualised IT resources, all of which must be equipped with security. This includes malware and data protection measures, as well as network and host security solutions.
Identity and access management — The security ecosystem may not be entirely under your control in the cloud, so proper security provisioning, governance and management tooling must be in place for reporting and to check for breaches. Outsourcing is an option for those unwilling to manage their own security, identity and access management systems.
Security and compliance management — In the cloud, this requires more than just security products — you must also have security-minded people and processes to ensure that the environment operates securely.
Cloud stakeholders — There are essentially three categories of stakeholders who interact with the cloud, and each has distinct security attributes:
- Consumers, who might be individuals or people linked to an organisation.
- Service personnel responsible for delivering cloud security.
- Service governance stakeholders who set the overall security levels to meet audit and compliance requirements.
Sign up for Computerworld eNewsletters.