The news is full of security leaks, and everyone in in the industry is aware of the damage to customer relationships, the loss of revenue and the impact they have on corporate value (and acquisitions!)
Eric Boonstra, Managing Director, EvoSwitch
Is the Cloud Less Secure?
The answer is yes, if it is used insecurely. With enterprises moving to hybrid cloud environments, data architectures are divided between dedicated infrastructure and public and private cloud platforms. These hybrid models have a lot of benefits, but they also introduce more complexity for securing data and applications. This is a major skills challenge for many organisations. In a recent study, 46% of organizations said they have a ‘problematic shortage’ of cybersecurity skills – up from 28% just a year ago, and over 30% of those respondents said their biggest gap was with cloud security specialists.
Who is responsible when things go wrong?
As I mentioned in a blog earlier this year on EU Data Security Regulations, from a legal perspective the new focus in the regulation on the data ‘processor’ rather than data ‘controller’ is good news here. It shifts some responsibility for data handling and documentation to Cloud Service Providers, and many CSPs are already well positioned to address the regulations through a mix of best practice and certifications. Choice is the key here to allow you to ensure your CSPs are compliant and that their SLAs match or exceed your security policies.
But the bad news is that the buck cannot stop with the service provider. Security has to be a shared concern. IT teams will still need in-house expertise on encryption and data loss prevention controls for content-rich cloud applications. They will need to know where the enterprise data sits in the cloud, what offerings cloud service providers have for data protection, and most importantly, how to integrate data protection policies in the cloud with existing company policies.
And regardless of whether they are deploying SaaS, PaaS, IaaS, or a combination of those services, they will need identity and access management (IAM) and multifactor authentication skills. According to Gartner only a small percentage of security incidents impacting enterprises using the cloud have been due to vulnerabilities that were the cloud service provider’s fault. The characteristics of the cloud stack can make cloud computing a highly efficient way for inexperienced users to implement poor practices, which can result in widespread security or compliance failures.
Can a Broker Fix it?
The complexity and changing nature of the challenge have created an opportunity for cloud control tools and services. Again according to Gartner, by 2018, 50 percent of enterprises with more than 1,000 users will use cloud access security broker products (CASBs) to monitor and manage their use of SaaS and other forms of public cloud.
Where to Focus your Efforts
The bottom line is that, although clouds are usually secure, the secure use of public clouds requires an expanded skillset and very real effort on the part of the customer. Service provider selection is key, and SLAs need to agree. But customers will also probably need to grow their skills to incorporate policy, audit and threat analysis, and to give their team (and the business as a whole) the confidence to move into the hybrid cloud.
- Cloud Security Alliance (CSA) – analysing ‘secure behaviour’:https://blog.cloudsecurityalliance.org/2016/09/07/dealing-dropbox-unmasking-hackers-user-behavior-analytics/
- CSA enterprise research: skyhighnetworks.com/cloud-security-university/
- Gartner on CASBs/ future trends: gartner.com/newsroom/id/3143718
- Brian Dye on security and orchestration skills: http://www.csoonline.com/article/3064673/security/securing-the-hybrid-cloud-what-skills-do-you-need.html