By Scott Manson
Today, cloud use for business computing is no longer the exception, but rather the norm. Customers want to be able to take advantage of the increased agility and improved economics that come with moving to the cloud while still protecting their data, applications, and users.
Security is traditionally applied at the network perimeter; this disappears in cloud-based computing, in which borderless networks connect many types of users with enterprise private data centres and cloud based resources. In working with customers to identify their cloud use, Cisco discovered that large customers now use on average 730 individual cloud services and capabilities including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS).
Cyberattacks today target users – not the infrastructure. Cloud security can’t be solved with legacy security technologies or siloed approach. Cloud security must be as dynamic. It has to be an extension of a business’s entire security programme where security is embedded into the intelligent network infrastructure, integrates with a rich ecosystem of applications and services, is pervasive across the extended network, not just networks themselves but all endpoints, mobile and virtual. This in turn extends to wherever employees are and wherever data is.
Naturally, education and training should play a key role in any cloud security effort that focuses on reducing risk among select users. IT leaders should also invest in automation solutions. By reducing the potential for human error, automation can play a powerful part in cloud security strategy.
If there is any advice I could give enterprises on how they could minimise risk of cloud computing at the most simple level, these would be:
Due diligence while researching a cloud solution: Be sure to review the cloud service providers’ (CSPs) security history and references; ask about known security vulnerabilities.
Utilisation of a Single Sign-on (SSO) solution to add security (and convenience): An organisation might be using a number of cloud services and applications and individual users could have multiple sets of credentials, which can be exposed. SSO means that there are fewer accounts to manage as users enter and leave the organisation and users have only one set of credentials and are less likely to write them down so they can remember them.
Working with a third party to assure cloud security on a regular basis: Work with an expert on a regular basis, either as a consultant for your business, or perform third-party audits to ensure that your CSP is compliant with your industry’s standards of security.
Implementation of end-to-end encryption: Ensure the CSP has solutions for encrypting data not only in transit, but also when the data is at rest. For the lowest risk, your data should be encrypted prior to upload, while it is in storage and can only be decrypted with the correct encryption key. Data must be mobile, and it must be secure as it travels, so secure the data by using an encrypted and secured communication protocol.
Regular update of in-house software: Your CSP has an impossible job if they have to support outdated software with known security risks.
The cloud is, undoubtedly, the future of computing and will prove to be a significant factor in businesses remaining competitive. While we may not be able to secure the entire cloud, all the time, the goal of enterprises should be to build resilience into their cloud situation and know what to do if an incident occurs with the data.