Posted 5.14.19
by Carrie Kennedy
Blog
Achieving Security

In the Cloud

This post has been edited from the original and updated to reflect new research.

One of the biggest concerns around hybrid cloud for organizations is data security. That’s rightfully so–according to Gartner, at least 95 percent of cloud security failures will be the fault of the customer through 2022. It’s important to start asking how you can securely use the cloud, rather than asking if cloud is secure. What are the biggest security challenges in hybrid cloud adoption, and how can you solve them?

To run successfully in the cloud (i.e., with little to no security failures), you’ll need to consider the difference between secure cloud infrastructure and secure applications within that infrastructure. Just because your cloud infrastructure is secure doesn’t mean the data that rests inside it is. Security in the cloud depends on a risk and governance strategy that’s well defined. Gartner recommends (clear) expectations around the form, significance and control of the public cloud and how much influence it has on the organization. CIOs should also provide guidance on which cloud the data workloads will be placed and building in-house expertise around the different cloud models (private vs. public).

This is all part of thinking about cloud security at the application and data level and not just the infrastructure. Otherwise, you won’t have the security success in the cloud you want. Think about the data visibility structure you currently have: What’s happening with your data, and where exactly is it going? You’ll want to monitor not only external network access, but internal access as well. According to the Ponemon Institute, it takes about 200 days to detect a breach. How long will it take you? In a SaaS model, the entire stack is managed by the service provider. That means focusing on identity and access management permissions to protect sensitive data. What  kinds of identity management and access tools does your have in place, and what are the policies surrounding those tools? Who will manage that access?

So, what should you do? Get clear guidance on identity management access from your provider and read the contracts carefully–some may ask for access to your data, others may not. Track your employees and track your network traffic using services such as daily log review. Some providers offer this as a managed service.

Other security concerns in a hybrid environment include compliance, lack of encryption, poor SLAs, data redundancy, and data privacy and visibility. Some clouds are more equipped to handle these challenges than others, and it’s important to make sure you have the cloud that addresses your needs best. Let’s look at these barriers and see how they can be addressed.

Compliance: Compliance and security are intrinsically tied together. Whether your data is moving from cloud to cloud or a cloud to a physical server, it’s critical that you and your cloud service provider (whether that’s you or someone else) have the correct controls in place. This is especially important in today’s mobile world and BYOD.
What should you do? Make sure your provider can pass third-party audits as part of a standard check for regulatory compliance. But remember, just because your provider is compliant with industry regulations doesn’t mean you’re off the hook—you as an organization must also meet requirements.

 

Lack of encryption: You’d think these days, encryption would come with the cloud just like wheels come with a new card. But according to a recent report, less than 10 percent of cloud providers offer encryption at rest. This could leave your data vulnerable to attacks or user abuse.
What should you do? Encryption is widely considered a best practice for your data, but don’t stop with encryption at rest. It has to be a given. You want your data secure throughout all points in the network, including in transit and at endpoints. Encryption should be a critical component of your compliance strategy as well.  Network endpoints are some of the most vulnerable spots for an attack, so you’ll want encryption between your devices. The Healthcare Insurance Portability and Accountability Act (HIPAA) does not specifically require encryption, so if you decide not to use it, think about what other measures you should take to keep your data secure. PCI requires encryption. Encryption of course isn’t the silver bullet to security in the cloud (no one solution is) but you’d be wise to implement it.

 

Poor SLAs: What is the absolute highest amount of downtime your business can withstand? Does your SLA meet (or exceed) those expectations? An SLA (Service Level Agreement) is what sets the tone for the operation of your cloud environment. Think of it as the guarantee seal your provider slaps on your contract.
What should you do? Read the fine print carefully. Poor SLAs can result in more downtime and security risks than you’re willing to accept or afford.

 

Lack of data redundancy: In today’s world, you can’t rely on just one copy of your data. What’s your backup strategy? If part of your environment goes down, can you still access your data?
What should you do? Take advantage of multiple data centers from your provider. In case of an outage at one, you can rest assured knowing your data is backed up at another. Disaster Recovery as a Service (DRaaS) or Backup as a Service (BaaS) are two different ways you can address potential downtime and data loss effectively, no matter what cloud environment you have.

 

Hybrid cloud, just like on-prem or pure private cloud, is only as secure as you make it. Ten years ago, organizations hesitated to move to the cloud because they assumed it wasn’t secure. Now, they’ve swung in the opposite direction: If it’s in the cloud, it must already be secure. This isn’t true! It’s up to you to develop your own cloud security strategy and thoroughly vet your cloud providers, working with them to put the proper security measures in place that will keep your data protected. The right provider will be able to help guide you to be secure at every layer in the stack, not just the infrastructure.

Get started with Otava now!

  • This field is for validation purposes and should be left unchanged.