As organizations explore and define their cloud strategy, they identify expected benefits including reduced capital investment, improved geographic diversity, scalability, agility, and performance. What the cloud can bring to a given scenario varies, but most organizations find clear-cut benefits.
So, what are the challenges?
Any system or device connected to a network can be compromised and, if the data is sensitive, the reputation and economic risks grow. Cloud-hosted solutions offer both hardware and software on demand over the Internet. Since they are offered over the Internet, the systems themselves are subject to attack. It is only through well-constructed controls that data and systems are safe.
Companies using a cloud provider’s environment should make sure they know who owns the data on that platform. Does the cloud provider own the data? If the company using the cloud owns the data, do they incur 100% of the responsibility associated with a breach? The results of exposure of sensitive information, including personally identifiable information, personal financial information or personal health information, constitute a data breach subject to fines and legal action. So, the first control necessary is a contract that states the company owns the data.
Cloud providers know keeping their cloud secure is essential to ensuring efficiency and maintaining the credibility of their business. Cloud customers reap the benefits of the public cloud provider’s security but must recognize they are in a shared security model where they own the risk scenarios associated with mitigating controls of their applications and data.
A company can reduce risks by applying strong controls. Fortunately, providers offer cloud-based controls that help mitigate risk. Key areas to consider include:
1. Identity Management
Cloud-based identity management provides users with efficient access to applications, data and network services. Customers can implement a low-cost, rapidly deployed single sign-on and identity management solution using tools provided by the cloud provider. Identity management solutions are not limited to applications hosted in the cloud provider’s space but can also benefit by tying application access offered by software as a service to those hosted on premise or deployed in another cloud. Help desks become more efficient as users are no longer required to remember, and often forget, separate User IDs and passwords for each system. The solutions also typically offer advanced security features like multi-factor authentication.
2. Rights Management
Public secure cloud providers offer the use of tools to grant the appropriate level of access to individual users. The recommended approach is to use the philosophy espoused by the “rights of least privilege” so only users with a bona fide need can access a specific resource. Ensuring data is classified provides the framework to deploy a rights management solution.
3. Data Encryption in flight and at rest
Public cloud providers offer data encryption solutions for data in-flight and at rest on the provided storage. Encryption ensures that information cannot be easily monitored, viewed or improperly disclosed.
4. Network Security
Secure cloud providers offer controls to isolate network segments to ensure data from one tenant is not accessible to or from other tenants. These include traditional concepts like firewalls, application firewalls, and network and data segmentation.
Monitoring assets provide the ability to proactively collect performance and system utilization information, monitor and audit system and device logs and, based on the information discovered, proactively respond to incidents with alerts or automated actions.
Many secure cloud providers offer security monitoring solutions to allow customers to monitor for unusual network traffic or connections with known bad players and alert administrators or automatically block the known bad traffic.
6. End Points
Most organizations leverage the ubiquitous mobile communications capabilities end users now utilize to connect to cloud solutions from anywhere. Devices, whether owned by the enterprise or end user-owned, often exist outside the protection of internal company controls and therefore additional controls should be considered for these devices.
Building a cloud security strategy requires a thoughtful approach to select protections, monitoring, and governance needed to reach a level of acceptable risk. There is no single formula to dictate an acceptable level of security. The security deployed must be aligned with regulatory requirements, the application architecture and an individual organization’s tolerance for risk and then balanced against the cost of implementing the identified controls.
(Article by John Leek, RUMBLE’s strategic technologist and director of the RUMBLE Lab. John’s 34 years of experience as a business leader, department head at large enterprises, business owner, and software developer provides a strong foundation for understanding the challenges facing RUMBLE’s customers.)