Moving to the cloud? These tips will help determine data security.
Large companies will accelerate cloud adoption this year, Forrester Research predicts. Spending on the global public cloud market is expected to hit $146 billion this year, up from $87 billion in 2015.
If you’re among them, there are several risks and opportunities to consider. Unlike electric companies, cloud providers vary widely in the quality they offer, especially in terms of security.
Plan in-depth conversations with prospective vendors and internal teams about security risks, responses, and policies. What should those conversations look like? Here’s a peek:
What selling points does the vendor highlight?
Plenty of organizations simply choose the least expensive cloud provider they can find. What they might not realize is that cloud providers compete on a number of factors -- price is just one. Low-cost service providers have a number of ways to reduce overhead. Lighter security is one of them. If cost is a vendor’s differentiator, be wary.
Will the migration be a sprint, or a marathon?
Too often, we see aggressive timetables for cloud migration that leave out any chance of an evaluation and troubleshooting period. There’s no need to push forward just because that’s what the calendar dictates. Start with applications that aren’t mission critical. Test and evaluate their performance before proceeding.
What does that in-between phase look like?
So you’ve decided to move slow. For some period of time, your company will operate in a mixed environment with new security policies. Apps in the cloud may have different policies and permissions than those in your data center. Router and firewall settings might not align. Create a blanket policy to cover this in-between phase, or find a way to automate security configurations during the migration period.
Does your team have what it takes?
There are still a lot of executives who think IT is a minor support role. They roll their eyes when the IT team starts explaining a problem. But a big IT move like a cloud migration is going to need high-level support from the beginning. Build a team across different roles that has institutional juice to make decisions and move the project forward. Keep this team in place after the migration to form a rapid reaction team that can respond to attacks.
Who else lives in your cloud neighborhood?
Hackers can disrupt multiple enterprises by hitting a single cloud services provider, or even if they’re targeting a single company that you happen to share a server with, your service will degrade. It’s important to know who you share cloud space with and whether they are more likely to be targeted for political or financial reasons, or because the cloud provider takes a lax approach to security.
Will your security threaten your privacy or data integrity?
When an attack occurs, you have to separate the normal traffic from the bad. If your traffic is encrypted, this means that some of that traffic must be at least partially decrypted offsite by your provider’s tools. While that can sort out the malicious traffic, it can also expose sensitive information.
Ask your provider to use techniques that limit the amount of decryption, and to use behavioral threat algorithms that identify threats using as little decrypted content as possible. This will not only speed up the process, but also help ensure the privacy of your data. Also remember that not all protection services include SSL, so if this is important to you, make sure you ask the right questions and don’t make assumptions.
Do you know your response options?
Just because you’ve placed your data in the cloud doesn’t mean you have to place all your faith in your vendor’s security. There are a number of tools on the market that allow companies to perform their own attack detection and mitigation, even when all transactions are cloud-based. By leveraging DNS changes or BGP redirects with these cloud security providers (if your provider will allow it), you can still have independent, third-party cloud-based protections for your cloud hosting environment.
How cloudy do I need to be?
Remember that cloud doesn’t always mean your data is in an intangible place. Many datacenter providers will build bespoke Virtual Private Clouds (VPCs) in their datacenters for you. They specialize in this type of work and have learned the best ways to overcome many of the migration difficulties other organizations have experienced. What’s more, many of these providers can build custom security protections specifically for your organization – even on independent hardware if you needed it. They do this kind of work all day, every day, and a company like this can offer unique advantages in supporting your organization. Many providers will allow you to tour their facilities, which might help you decide if they’re the right fit for your organization.
There’s a reason we no longer bother making electricity in our office parks. Cloud isn’t for everyone, but it’s right for many organizations. Planning your transition is the best way to ensure success.