Taking steps to ensure data security in the cloud
Innovation is key to future-proofing your solutions, and research shows that the public cloud is the default platform for innovation. Over the course of the coming years, cloud innovation, particularly in security, will lead to major cloud providers offering higher levels of security than even best-in-class on-premise security.
Which organizations are adopting the cloud at which rate is highly dependent on market size, region and vertical. According to an ISACA white paper, market maturity of cloud is currently in the “Growth Stage,” and that it is particularly attractive for Small to Medium Enterprises (“SME”). The reasoning here is that SMEs can often simply not afford to invest in expensive on-premise applications and are looking to cloud solutions first for applications such as Enterprise Resource Planning or Customer Relationship Management.
Cloud computing may even offer new security opportunities for SMEs.
So, what is actually meant by cloud computing, what deployment models are we talking about, and why? Here, it is assumed the reader has a good understanding of cloud, its deployment models and application areas; otherwise some very good explanations can be found from the Cloud Security Alliance (CSA).
Cloud Services are divided into three categories: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
Adoption rates of cloud services are highest for SaaS, which is also the type of service where the security responsibility/capability lies primarily with the cloud providers. This article generally applies to all three types of services, but I’ll focus for the remainder of the article on SaaS services.
Let us assume you are considering or even already are procuring cloud services. What needs to be taken into account? How do you know which provider to choose? Are there any established methodologies that can be leveraged?
As with any procurement process, getting a solid list of business requirements is the best first step. If you do not have time or resources to do this, there are also very good generic guidelines available from CSA, the Consensus Assessments Initial Questionnaire, which can be leveraged to compare cloud providers’ offerings and includes governance and compliance topics.
Be sure to take into account local regulations on personal data (e.g. GDPR) or industry-specific compliance requirements (e.g. PCI or HIPAA).
Larger cloud providers may have already invested heavily in these topics for their customer base. Imagine having different SaaS providers for every application, e.g. Provider 1 for Customer Experience, Provider 2 for Recruiting, Provider 3 for Enterprise Resource Planning, etc. That leads to “cloud sprawl,” and can significantly complicate both security and compliance processes.
When choosing a cloud provider, consider avoiding “cloud sprawl.” It is possible to select a cloud provider that provides multiple offerings, thereby avoiding such sprawl. How does the cloud provider ensure seamless, efficient and secure operations? What measures have been taken to guarantee business continuity and disaster recovery? Are these measures complemented with solid incident response and transparent disclosure policies?
Maintaining data confidentiality through encryption and key management may very well be more efficient for a cloud provider to implement; ask how these security features are realized. Last, but definitely not least, be sure you do not get ensnared with “vendor lock-in.” Ask about termination policies – according to Forrester, market consolidation of SaaS providers may make termination necessary.
Once a SaaS provider is chosen, some gaps may still remain, depending on the identified business requirements. In the security space, the following add-ons should be considered:
- Two-factor authentication for the management interface of the application and privileged accounts
- Implementation of your own business/organization-specific security and compliance controls
- The use of a cloud access security broker to minimize occurrence and impact of unauthorized access
- Business continuity, incident response plan and disclosure policies are still required for your organization
Enterprise-focused cloud computing providers can offer advanced security measures, while spreading the associated costs across several customers and enabling enterprises to advance their digital transformation. Cloud providers understand that their survival depends on meeting user expectations. Robust security and reliability are part of the competitive advantage that can make a provider the preferred partner.