Whether we’re talking about SaaS, PaaS or IaaS, cloud computing adoption is well beyond the tipping point. In fact, organizations are tapping the model to run more agile, efficient and cost-effective businesses. But security remains a barrier. Organizations must get better at understanding their shared responsibilities in the cloud, where the key risks lie, and how to manage compliance in an increasingly complex world.
One of the most common misconceptions about cloud security is that the provider will take care of it. A study of EMEA IT decision makers last year revealed that the vast majority believe their IaaS provider is responsible for securing customer data (64%), applications (61%) and operating systems (60%) in the public cloud. In reality, businesses will need to take a more proactive approach than this. At the very least, organizations are responsible for securing their own data and identities and for running logs and analysis. This is true even in SaaS environments. When we get to IaaS they’ll need to provide even more, including security at the OS-layer.
The good news is that reputable cloud providers are pretty good at security now. They have huge teams and spend hundreds of millions managing the problem — resources the average enterprise can only dream of. But you still need to identify and secure that data.
I recommend three initial steps: identity management, data classification and hardening controls.
Identity management is one of the biggest challenges for organizations, especially in SaaS environments. Multi-factor authentication (MFA) is essential given today’s threat landscape. Phishing represents one of the biggest risks to corporate cybersecurity, accounting for over 90% of breaches last year, according to Verizon. When we’re talking about an Office 365 or Google Apps environment, a simple phishing attack could give hackers the keys to the kingdom; access to highly sensitive and regulated customer data.
MFA is the only effective solution to combat phishing, yet too often projects are shelved because users complain. Organizations must therefore look to MFA solutions that take a risk-based approach which means users are only stepped-up to MFA if their log-in behavior, device or other factors change. This is the best of both worlds: maximum security with minimum user friction.
In fact, it’s always important to consider user productivity when designing cloud security solutions. Whether IT managers like it or not, we live in a world of BYOD and BYOA. This raises serious security concerns if users decide they want to store sensitive customer data or IP in an unsanctioned app or device. The only way to minimize the risk of data leakage and policy violation is by offering the kind of user-friendly but secure enterprise solutions that don’t force them underground.
The stakes are raised even higher for cloud security when one considers the myriad of regulations most medium and large-sized organizations must comply with today. It’s simply too much work to undertake manually. The answer lies with compliance automation. Organizations must look to tools that will automate their security controls based on the regulatory framework they operate in and their cloud model. This technology needs to be running in the background every 30 minutes, enabling organizations to react quickly to changing business conditions.
Configuration automation can also help here by ensuring your sensitive data doesn’t end up publicly exposed because of a simple mistake. Even global organizations that should know better have been caught out. As long as you follow these key steps, you can avoid falling into the same trap.
To listen to my full conversation with Enterprise Times’ Ian Murphy, click here.