One of the reasons organisations frequently give for not moving services to cloud is security.
Although a recent survey found that 61 percent of chief information security officers now believe that the risk of a breach is the same or lower in a cloud environment than on-premise, security fears remain, particularly in regulated industries.
We frequently find ourselves explaining to both senior executives and IT managers that cloud services are not inherently insecure.
Cloud can, in fact, provide increased data security, provided it is implemented correctly. In my opinion, the real problem deterring organisations is that using cloud means handing responsibility for their IT services and data to someone else. In other words, the fear arises from no longer being in control. This is perfectly rational, and for some may result from past experience of outsourcing, but closer analysis shows that these fears are unfounded.
Cloud does not change the basics of security – the threats remain the same. To ensure their data remains secure in the cloud, organisations need to consider two key factors: the potential vulnerabilities of what their chosen supplier will provide, which can be addressed by applying appropriate due diligence and mitigation; and the security responsibilities they retain in-house, which will depend on the type of service they buy.
Carry out due diligence on potential suppliers
Most cloud suppliers will implement and manage considerably better IT security controls than internal IT departments of all but the largest and most security conscious organisations, for one simple reason: ensuring good security is vital to the success and well-being of their business.
Reputable cloud providers will, as a minimum, hold and maintain ISO27000 best practice information security certifications. Many host data from the public sector and regulated industries, which also requires them to gain and manage separate security accreditations and be regularly audited and tested by independent external providers. They can afford the best security technologies and the staff to maintain and update them, because this cost is spread across all their clients. In contrast, many mid-sized organisations do not have an in-house security specialist and rely on a generalist to handle security issues.
One might argue that the ‘bad guys’ are more likely to try and attack a large and high profile target such as a public cloud provider. However, providers have the appropriate policies, protections and resources in place to monitor and protect against such threats, plus scale and distributed resources, making attacks more complex to engineer.
Another aspect that potential cloud users need to consider is supplier risk management. They need to evaluate the potential supplier’s financial security, as they would when buying any other service; review terms and conditions carefully; ask the right questions to ensure that they know exactly what they are buying; and seek out independent verification of their capabilities.
There are significant differences between cloud providers design criteria, billing models, contractual terms and conditions, available SLAs and the recompense if these are not met, and data recovery terms. Particular care is required in areas such as service availability, capacity and performance guarantees, failure remediation and disaster recovery.
You also need to be aware of the service supply chain, both who you are actually contracting with, and the underpinning agreements in place for key service elements not directly provided by the contractor. However, none of these constitute a security risk. Cloud providers make their terms of business very clear, and it is up to potential customers to read the agreements and ensure that what is being offered meets their requirements. If an organisation cannot obtain the guarantees it needs, it should retain IT services in-house.
Remember your own security responsibilities
Organisations need to understand that moving data to the cloud does not negate the need to take proper data security precautions themselves. Different cloud options come with different levels of included security. As a rough guide, these are the responsibilities of provider and customer for different types of cloud.
If using SaaS, organisations are basically a passenger, as their data is on someone else’s platform. With IaaS, customer and provider share a common level of risk, and organisations need to ensure they configure the set-up correctly. All the major providers have a shared security model which clearly details the roles and responsibilities of the provider, the customer and any third parties.
This is not rocket science, but there have been many reported cases (and no doubt many more unreported ones) of data on unprotected Amazon S3 storage. Dow Jones, Accenture and most notably the Pentagon have all made the basic error of failing to set appropriate, Amazon provided security controls or passwords to protect their data, resulting in a warning from the National Cyber Security Centre.
With PaaS, the cloud provider keeps the underlying platform secure, but if an organisation uses insecure authentication methods or release insecure code for web accessible applications then any breach is their responsibility.
The core principle is that, even though data may be stored in the cloud, its security ultimately remains the responsibility of its owner. Organisations must ensure that their chosen service provider delivers the appropriate levels of information security for their business needs. Trust but verify; it is incumbent on organisations to test, measure and audit providers themselves to ensure this is delivered.
This means having the right policies and processes in place, with employee buy-in and compliance. The majority of security problems arise when people upload data without thinking of the implications or take data outside their organisation; neither of which are cloud related issues. Cloud can help to prevent some of these issues; one of the key advantages of using cloud to deliver a virtualised desktop environment is that no data ever leaves the data centre unless the organisation’s security policy allows mapping of local drives, USB memory sticks or other external storage.
Users need to understand why security is important, their role in maintaining it and the consequences of getting it wrong, which is exactly the same whether organisations are using in-house infrastructure or cloud. However, implementing cloud means following processes prescribed by the cloud provider. Organisations have to make their processes fit the way their cloud provider works, rather than setting policies for themselves.
Choose wisely, and get your own house in order first
To sum up, cloud is not inherently insecure, but it may not be the right solution for everyone.
Organisations need to ask their potential suppliers a series of questions to ensure that they understand exactly what they are buying and if it is secure enough for their needs, and then audit suppliers regularly to ensure the agreed security is applied. Most important of all, they need to maintain good data hygiene internally, and implement effective policies and practices to ensure that their data remains secure.
By Richard Blanford, chief executive, Fordway