As McKinsey stated, the changes in how enterprises use technology have made corporate environments harder to protect while increasing the importance of their protection at the same time. When digital data becomes more extensive, businesses are expected to become more ‘open’ and connected, even though the cybercrime landscape evolves year after year.
Cost-saving, flexibility, mobility and security, to some extent, are forcing rapid cloud adoption. A focus on Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) allows organisations to adopt smooth digital transformation and shorten the time to market. Supply chains are also becoming more sophisticated and interconnected. That means responsibility is shared with a vendor, but accountability is still on the business itself.
Deploying cloud technology inevitably implies a loss of control in some respects. When it becomes harder to know exactly what data you even own, asset management, vulnerability and incident management become more challenging.
As always, awareness of the challenges involved is key to reducing cloud computing security issues and compliance exposure:
Vendor risk. Before cloud adoption enterprises enjoyed expansive control over on-premise IT equipment, vendor risk was limited to firmware and software updates. Cloud implementations imply far broader vendor risk. Cloud vendors are responsible for everything from network security to regulatory compliance, and it is challenging for clients to verify the assurances put in place by vendors.
Data regulations. Enterprises that handle personal and financial data face stiff penalties for violating data protection requirements. Regulations such as GDPR mandate that data is controlled and protected to a high degree. It is easier to comply with data regulations when data is stored on-site or on equipment controlled by an enterprise. Data in the cloud is a different matter altogether.
Credentials and data leakage. Utilising the cloud implies that a wider range of parties will have access to enterprise data, from a wider range of locations. Controlling access rights become more difficult once physical barriers are removed, but handing data to an independent third party automatically implies a loss of control.
While it’s pretty easy to scale to the cloud from a technological perspective, proper governance needs to become a top priority, including compliance, risk management, vendor management, proper data classification, access control and change management.
It is impossible to extinguish all technology security exposures from a closed, on-premise computing platform and it is even more challenging to do so in a cloud environment. However, risk mitigation can be effective in reducing the opportunities for loss, harm or noncompliance to minimal levels.
Once your enterprise is aware of the unique cloud computing security issues and compliance risks that enterprise cloud computing poses, it can take mitigating actions:
Measure your risk exposure. Every enterprise adopts cloud computing in a different shape and form. Public clouds can be more cost-effective than a private or hybrid cloud, but they involve relinquishing more control over security and compliance aspects. Similarly, opting for Software as a Service (SaaS), instead of IaaS, combined with your own software, implies less direct control over the software environment. Choose the solution that matches your and your client’s risk tolerance.
Risk-profile your vendors. When using cloud computing, enterprises should remain vigilant against vendor risk. Consider questions around ownership, vendor sustainability and security practices. However, these questions should also be asked of the vendor’s partners as cloud risk management also implies managing risks at the weakest link.
Rapidly learn from failure. Cloud security breaches are constantly in the news, and in many cases, the attackers found brand-new exploits. Wise enterprises will rapidly learn from the mistakes of others and ensure cloud computing practices are quickly adapted to guard against rapid changes in the security environment.
Tightly manage user behaviour and credentials. The cloud is easy to use, accessible and open. Users should be educated in good security practices, while enterprise IT management should insist on inconvenient but effective practices such as two-factor authentication. Also, user credentials should be managed with extreme care: cloud credentials are effectively the keys to the premises.
Get to grips with data compliance. In taking advantage of the cloud, enterprises should strongly focus on the detailed terms of service and ensure that public clouds, hybrid clouds and SaaS/PaaS meet local and international regulatory standards. Understand where your data is stored and ensure that you only work with cloud vendors that practice the required compliance regimes.
From the compliance perspective, you will rely on your vendor’s capabilities to provide data security, resources and workloads. Make sure you’ve covered the essential aspects from your side as well:
“Remember, you’ll be limited when conducting cloud audit, and you’ll need to rely on the 3rd party opinion to verify the cloud provider claims. So, focus on really important audit types like SOC2 Type 2, ISO 27001, CSA STAR, FedRAMP, etc., and check the scope whether those cover all the components you need”, says Iurii Garasym, the Director of Corporate Security at ELEKS. “Also, run penetration testing, monitor the provider yourself where possible, request and check recent OWASP Top10 pen-test reports against their API and portal.”
Whether cloud computing security issues and compliance aspects should be managed using internal capabilities or indeed by a public cloud provider or SaaS operator depends on the level of internal expertise your enterprise enjoys, the type of data that is handled and the client environment you operate in. Regardless, deploying an expert in cloud security will be highly beneficial.
Cloud risks are unique and require evaluation by a partner that intimately knows how the cloud works, whether it involves developing cloud apps from scratch or migrating existing workflows to the cloud.
Contact us for an end-to-end review of your enterprise cloud security objectives; we can guide you towards maximum cloud utility with minimum risk.
Originally published at eleks.com on October 19, 2018.