Driven by a range of benefits from enhanced scalability to cost reduction to ubiquitous access to applications, the migration of businesses to the cloud is continuing apace. Indeed, according to analyst, Gartner, more than $1 trillion in IT spending will be directly or indirectly affected by the shift to the cloud during the next five years.
[easy-tweet tweet=”The choice of a third party cloud services provider is critical” hashtags=”security, cloud, tech”]
Any business making the transition will naturally be focused on achieving optimum levels of data security. The choice of a third party cloud services provider is, therefore, critical – and there is a host of issues to consider. For example, do the terms and conditions of their prospective provider meet their requirements; and what about data sovereignty, security and even compensation if something goes wrong?
Just the simple fact of moving data to the cloud brings with it security concerns – and having a rigorous approach to encryption in place is critical in this context. Businesses need to ensure for example that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing. Best practice is for the business to encrypt data itself as it leaves their building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted.
While the choice of provider is a key upfront concern, businesses also need to decide from the outset what data they want to move to the cloud and what to retain in-house. That’s why we are seeing the hybrid cloud model becoming de facto especially for larger businesses, who see benefits in keeping more sensitive customer data on-premise.
[easy-tweet tweet=”businesses also need to decide from the outset what data they want to move to the cloud” hashtags=”cloud, tech, IT, security”]
Ultimately, the business itself needs to accept a high level of responsibility for the security of its cloud-based data and this is especially key with regards to data access. One of the big issues for any business running hybrid cloud is: do they have a security policy that works seamlessly across both on-premise and cloud services: If somebody wants to access the business’s on-premise data they go through a gateway: generally a VPN, or front-end web server. However, if an employee tries to access data in the cloud, the business is unlikely to have any control over, or visibility of, that process. That’s because there is typically a standard way of accessing cloud services that is not necessarily in line with the organisation’s standard security policies.
Many cloud services will come with username/password authentication out-of-the-box and that is likely to bring with it an element of risk. The challenge for the business is to manage and mitigate those cloud service access risks in the same way as it would its on-premise service risks. After all, cloud data belongs to the business, not the cloud service provider, and the business is ultimately responsible for protecting it. And in the age of BYOD where many devices used in the corporate environment are unmanaged, that’s often a significant challenge.
So what’s the solution? Education is key, of course. Businesses need to highlight the message that employees should take a responsible approach to data protection. They must be aware of the potential security threats and do all they can to mitigate them – from keeping care of devices they use at work to ensuring passwords are consistently strong.
[easy-tweet tweet=”Businesses need to highlight that employees should take a responsible approach to data protection” hashtags=”tech, cloud, IT, security”]
But in this new security environment, businesses also need to find technology solutions that allow them to mitigate risk. A key part of this is to step up the level of authentication that those devices require before they can access cloud data. Businesses can, for example,, deploy an authentication portal or an access broker which means that if a user wants to access data in the cloud, they have to authenticate via the business’s own domain. That critical touch point enables the organisation to establish control over data access. And they can further mitigate risk by making the authentication mechanism adaptive depending on who and where the user is; what they want to access and what devices they are using.
So in summary, before businesses move to the cloud, they first need to find a cloud service provider they can trust; define which services and applications they are going to transition and then put a security policy in place, But critically also, across all of this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers the highest possible level of control. At that point, they will have a fully secure approach to data access in place and be ideally placed to reap the many rewards that moving to cloud services can bring.