Security Consideration In The Cloud

by Randy Gross, CIO, CompTIA

The IT landscape has shifted dramatically in recent years. Businesses of all sizes are exploring new models for technology, led by cloud computing and mobile solutions. 

They’re also taking a more expansive view of technology. It’s no longer confined to the back office as a support tool for the business. Today technology is front-and-centre, seen as a strategic endeavour that can directly accelerate business growth and success. Business users see benefits and gains in areas such as accessibility, agility, productivity, and scalability.

Cloud computing solutions offer a great deal of opportunity and potential, but they can also create problems that must be solved quickly before they are exploited.

A recent report from Skyhigh Networks, a cloud security and enablement company, found that the average enterprise is using 46.7 percent more cloud services this year than a year ago. Yet the report also noted that just 7 percent of cloud services meet enterprises' requirements for security, compliance, and governance. 

The biggest difference between a cloud solution and an on-premise solution is that control is given to someone else; namely, a cloud provider. The migration of systems from on premise into the cloud creates several issues for companies, especially if they have not carefully considered their security requirements before engaging with a cloud provider. 

In the early days of cloud adoption security was often cited as the primary reason that companies were not using cloud systems. Today, the large majority of companies have cleared that hurdle, either by thoroughly examining security in a cloud environment or by assuming that mass adoption of cloud systems indicates adequate security.

“The reason it is so important for companies to understand their own security requirements before engaging with a cloud provider is that there are so many different areas involved to ensure safety and reliability,” noted Seth Robinson, Senior Director, Technology Analysis for CompTIA. 

Business continuity, data retention, data encryption, credentials, data integrity, regulatory compliance, identity and access management and geographic locations are among the areas that should be subject to a security review before embarking on or expanding a cloud deployment, Robinson added.

In CompTIA’s 2015 study Trends in Information Security, between 40 percent and 60 percent of companies said they always review each of the areas list above.

This security review also drove internal changes. Nearly half of companies said they changed company policy as a result of changing views on cloud security; while 41 percent of companies built additional security features into cloud-hosted applications.

When it comes to the cloud, it’s not enough to assume that the cloud provider is adequately securing data and applications. Understanding the cloud provider’s environment and policies is essential in securing the cloud services. Cloud users should regularly review and discuss with their cloud provider how they want to handle security, reliability, compliance, and legal issues related to their cloud services. Any gaps in the provider’s security coverage must be addressed before launching the service.

Another benefit of cloud computing is that it lowers the barrier of entry to technology and gives access to areas that have traditionally required the approval—or at a minimum, the cooperation—of the IT department. An end user can start working with a Software-as-a-Service application by visiting a website and providing user credentials and billing information with engaging the services or expertise of IT professionals. Thus, the concept of “rogue IT” or “shadow IT” was born.

This refers to the tendency of lines of business to use their own budgets to procure technology resources. Certainly the concept is no unique to the cloud. But the difference with cloud resources is that they are much more powerful and usable. This represents a high risk for companies. Business staff who use cloud solutions outside the purview of those responsible for the IT environment may not be considering where data is stored, what happens in case of an outrage or how the cloud tool is integrated into other business systems. With security already a major concern for companies, this is another area to be aware of so that data remains confidential and compliance to required standards is maintained. 

“You have to look at where your data is actually being stored and who ultimately has access to it,” noted Ron Culler, Chief Technology Officer, Secure Designs, Inc. of Greensboro, N.C. “You can have a nice looking app that delivers great service, but it may sit somewhere that may not be secure. It could be distributed across multiple data centers across the world. And if you put it in unencrypted, it sits there unencrypted. You have to have policies in place to deal with those situations.”

Finally, it’s important to remember that the burden does not rest solely on the lines of business. IT departments must examine their perceptions and policies to ensure that they are no overemphasizing their preferences at the expense of business outcomes.