With the growing number of benefits the cloud can provide – greater scalability, reduced costs, easier access to applications – it’s unsurprising that more and more businesses move to the cloud each year. Over the next five years, more than $1 trillion in IT spending will be affected by this shift to the cloud, according to technology analyst Gartner.
For businesses planning to make the move, it’s important to choose the right third-party cloud services provider in order to ensure security is adequate. Organisations must make several considerations before making their choice: does the T&C align with business requirements? How will data sovereignty be handled? Who will be liable when something goes wrong?
Just the simple fact of moving data to the cloud brings with it security concerns – and having a rigorous approach to encryption in place is critical in this context. Businesses need to ensure for example that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing. Best practice is for the business to encrypt data itself as it leaves their building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted.
While the choice of provider is a key upfront concern, businesses also need to decide from the outset what data they want to move to the cloud and what to retain in-house. That’s why we are seeing the hybrid cloud model becoming de facto especially for larger businesses, who see benefits in keeping more sensitive customer data on-premise.
Ultimately, the business itself needs to accept a high level of responsibility for the security of its cloud-based data and this is especially key with regards to data access. One of the big issues for any business running hybrid cloud is: do they have a security policy that works seamlessly across both on-premise and cloud services: If somebody wants to access the business’s on-premise data they go through a gateway: generally a VPN, or front-end web server. However, if an employee tries to access data in the cloud, the business is unlikely to have any control over, or visibility of, that process. That’s because there is typically a standard way of accessing cloud services that is not necessarily in line with the organisation’s standard security policies.
Many cloud services will come with user name/password authentication out-of-the-box and that is likely to bring with it an element of risk. The challenge for the business is to manage and mitigate those cloud service access risks in the same way as it would its on-premise service risks. After all, cloud data belongs to the business not the cloud service provider, and the business is ultimately responsible for protecting it. And in the age of BYOD where many devices used in the corporate environment are unmanaged, that’s often a significant challenge.
So what’s the solution? Education is key, of course. Businesses need to highlight the message that employees should take a responsible approach to data protection. They must be aware of the potential security threats and do all they can to mitigate them – from keeping care of devices they use at work to ensuring passwords are consistently strong.
But in this new security environment, businesses also need to find technology solutions that allow them to mitigate risk. A key part of this is to step up the level of authentication that those devices require before they can access cloud data. Businesses can, for example, deploy an authentication portal or an access broker which means that if a user wants to access data in the cloud, they have to authenticate via the business’s own domain. That critical touch point enables the organisation to establish control over data access. And they can further mitigate risk by making the authentication mechanism adaptive depending on who and where the user is; what they want to access and what devices they are using.
So in summary, before businesses move to the cloud, they first need to find a cloud service provider they can trust; define which services and applications they are going to transition and then put a security policy in place, But critically also, across all of this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers the highest possible level of control. At that point, they will have a fully secure approach to data access in place and be ideally placed to reap the many rewards that moving to cloud services can bring.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.