In the past several years, cloud adoption has grown rapidly. The latest studies reveal that cloud adoption in the UK now stands at 84 per cent with companies using at least one cloud service.
As investments in the cloud increase, so do concerns regarding security and the risks associated with storing sensitive information on cloud platforms. So what security essentials should a company consider when storing data in the cloud?
Cloud security starts with the same three ‘pillars’ as internal network security: confidentiality, integrity and availability. Yet, businesses need to recognise that the cloud stretches these three pillars in new ways. For example, there is a greater attack surface whatever the delivery model.
[easy-tweet tweet=”Private #cloud is the most secure, it doesn’t compromise company policy but it’s expensive to do right.” hashtags=”business”]
Private cloud is the most secure, it doesn’t compromise company policy but it’s expensive to do right. Community cloud involves shared infrastructure with unified security, compliance and jurisdiction requirements, although it can be restrictive. Public cloud is flexible from an adoption perspective, but you have to accept the policies of the service provider. Finally, hybrid cloud combines all these aspects, although success depends on the eventual service choice (x-as-a-service).
Once you have identified the architecture that fits your requirements, there are further questions to ask. Are you able to answer the following with confidence?
- What are the controls on privileged administrators and how are they supervised?
- Where is data held? How is it held (encrypted/resilient/high availability)?
- Will legal obligations to protect company data be impacted if the provider has a distributed architecture (i.e. multiple data centres across different countries)?
- What about backup and archiving?
- What is the provider’s viability? Any probability of company failure or acquisition?
- Does the cloud solution integrate with the company’s IT infrastructure?
- Will the workforce be affected by how they access data?
- Certifications – who audits them and how frequently?
- Does the provider have disruption provisions against attacks, business continuity or disaster recovery?
One point businesses must be aware of – data security remains their responsibility. It is not transferred to the provider. No single security method will solve every data-related problem, so multiple layers of defence are critical, from access control, system protection and personnel security, to information integrity, network protection and cloud security management.
As well as hackers targeting a specific cloud service or corporation, companies must also take into consideration the risks posed by employees. A research released by Experian showed that 60 per cent of security incidents were caused by the employees; this risk is exaggerated further by staff working remotely or the use of personal mobile devices to access sensitive materials outside of the company network. Consequently, organisations need to implement a strong security and awareness strategy that includes acceptable usage policies for the employees, enabling them not only to improve their cyber security behaviour, but to become true custodians of the company’s sensitive data, cloud or no cloud.
[easy-tweet tweet=”it is critical to make sure that #cloud infrastructure and disparate applications are integrated” hashtags=”business”]
Finally, it is critical to make sure that cloud infrastructure and disparate applications are integrated, yet independent from each other so that the impact of any compromise or breach can be contained. This is a crucial step to securing the cloud across a business.