Security and the cloud
When it comes to security, not all clouds are created equal.
There's little doubt that cloud adoption is now a mainstream and dominant trend in the business world. A report from Intel underpins this: it found that two thirds of those surveyed expressed trust in public cloud and roughly the same number of surveyed IT professionals already store data there.
Cloud is often marketed as a simpler alternative to current and legacy technologies. Some of this is a remnant from when the market was still trying to define cloud's use cases, thus leading to consumable definitions. The reality is that cloud is not simple. Though it packs a lot of benefits, ranging from great operational efficiencies to highly accelerated platforms at considerably lower costs, it would be a mistake to assume cloud, even public cloud, is by nature a turnkey environment.
"Cloud is often presented as an elegant solution to complex problems," says Christo van Staden, Regional Manager, Sub-Saharan Africa at Forcepoint. "It can be, but only within certain use cases. If you are a single person operation with one laptop and an Office365 account, you don't really need to do much more. But once you start looking at multiple users, multiple geographies and multiple data streams, matters become much more complicated."
Yet many users of public cloud platforms such as Office365, Salesforce, Dropbox, CRM Variants, to name but a few, do not always realise this. There's an assumption that much of the due diligence, compliance and security requirements are catered for by the cloud service. Unfortunately is this not always the case. In fact, most companies betray this in their behaviour: when they choose a public cloud services without consulting with either their incumbent security service providers or vendors.
The challenge one faces, is that once the cloud services are engaged and active, it is trickier to conceive and implement appropriate security policies and measures as an aftermath. For example, a lot of company data will then flow between the business and its providers. Is there proper awareness of what data is actually going where, and who has access to it? Is it possible to quickly remove or limit exposure of certain data? Does the security service offer robust data loss protection (DLP)? Can user accounts be managed across different profiles and can orphaned accounts be easily spotted and managed?
For decades enterprises focused on securing valuable data and IP by building 'walls and moats' to keep bad actors and adversaries at bay, yet cyber breaches continue to proliferate. The threat landscape becomes even more complex, as perimeters effectively evaporate during evolutions like cloud and mobility. The real question to ask, is the real problem weak or disappearing parameters, or is it the need for better visibility and understanding into how, when and why people - whether it be staff, partners, contractors, customers or in fact compromised or malicious users - interact with critical data, wherever that data may travel?
Forcepoint's ebook, All Clouds are not Equal, lays out the misconceptions that dog the public cloud space and lead to expensive interventions later down the line. A common one is assuming security certifications only matter to compliance teams. Such teams are likely to only look for certificates related to internal business functions, whereas certifications can be an invaluable tool to select a public cloud service.
These are an indication that the provider is following correct global and territorial regulations. A provider that does not cover requirements such as the EU's General Data Protection Regulation (GDPR) can become a serious problem if a company does any business related to that region or even any of its residents or businesses. Similar situations apply for certifications such as ISO 27001, ISO 27018, CSA and STAR. Lax certification could effectively shut down data operations aka business operations.
Another misconception is to believe cloud providers are inherently more secure than corporate data centres. This is true at a broad level, particularly around physical access. But it does not mean granular safeguards, such as encryption, tokens and DLP are being enacted. Third-party certification can greatly help clarify what a host actually provides. Also be sure that the certification applies to all of the cloud vendor's sites, not just one.
Cloud evangelists often speak of scale, which is a key advantage of the technology. But more does not always mean better. A multitude of servers is not what dictates cloud network performance. Instead peering, where companies gain a more direct connection with the public cloud host through appropriate peering exchanges, is the performance differentiator.
Certification is also key for good cybersecurity insurance rates. In addition, and alluded to earlier, the right certification helps ensure compliance with overarching data regulations such as GDPR, which ultimately dictate the cloud host's compliance with issues such as data sovereignty. It is unwise to underestimate the role of such regulations in a global business environment.
"Adopting a public cloud service does not shift any responsibilities," says Van Staden. "It just makes it easier and more cost-effective to access technology advantages. Companies must still make sure they understand the responsibilities between them and their hosts. The right security and auditing solutions can make this easier, especially in hybrid environments typically found at larger companies. If you know what you have and what you need, you can start asking the right questions to your potential hosting partner."
Third-party security and traffic management services deal specifically with these challenges, promoting performance, availability and granular security management between businesses and cloud services. Prevention is always better than cure, most of all in a cloud environment that can grow very complex very quickly. By demanding proof of certification and with a solid grasp on your company's data and users, you can stop cloud's hidden challenges before they start.