By Brent Thurrell, BeyondTrust
The onward march of cloud computing seems unstoppable and its benefits – cost savings, scalability, business continuity – are hard to dispute. However, like any area of information technology, it is important to understand the security implications of moving any part of business into the cloud. The impact of a security breach can be far-reaching, which is why senior managers need to familiarize themselves with what is at stake.
After all, we are talking about trusting sensitive corporate data – including customer data, intellectual property and other content, such as information on new products - to a third party.
It’s clear that organizations that outsource to a cloud vendor often make their choices based on price instead of security. Despite the undoubted advantages, making use of a cloud provider unfortunately opens the door to some risks.
This is why, despite many C-level non IT executives being keen to cloud environments, security executives tend to walk with much more trepidation. According to a recent research report by IDC, 74 percent of IT executives and CIOs have cited security as the top challenge preventing their adoption of the cloud services model.
The reality is that wherever data is hosted, vulnerabilities and exploits do not discriminate. The same holes that exist for cyber thieves lie within cloud providers as they do for data storage on-premise.
Who is responsible for security – the cloud provider or the business user?
So is having a private cloud safer than the public cloud? The reality is that private cloud does not mean attackers will not try to enter. Indeed, the more sensitive and potentially valuable a company’s assets, the more likely an organisation will encounter a cyber security storm.
This begs the question: when a company is utilizing a cloud provider, who is actually responsible if a breach occurs or what security measures are put in place? The apparent ambiguity as to who is responsible for securing the assets which makes up the private clouds creates the exact type of security gaps on which attackers can prey. It may come as some surprise that end user licence agreements for most cloud providers state that they are not responsible for security.
Cloud providers are responsible for providing servers with a certain operating system and a certain flavour, but buyers beware: in practice, this means they might not even know when a breach has occurred. In a 2011 Ponemon study, 42 percent of respondents of cloud service providers indicate they would not know if their organizations cloud apps or data was compromised by a security breach or data exploit.
The truth is that assets, in the cloud or on premise, are part of the business; so UK organizations need to treat them as such. Take the necessary steps to secure those servers, which organizations have every right to do, just as if the data was sitting down the hall in a server room. Even though businesses are renting cloud capacity from these providers, they still have full access to assess and should approach them as part of their regular security practice. As cloud customers, businesses can still configure virtual servers and apply custom measures that comply with existing security strategies.
Tips to securing company data stored in a private cloud
So what can be done to ensure that the business’s cloud environment is secure? Here is some ‘best practice’ advice:
• Include assets held in the cloud into your normal security and privilege access management strategy.
• Regularly assess the state of vulnerability by leveraging zero day vulnerability management solutions.
• Implement regular detection scans for critical risk access points, or potential breaches. Don’t wait for the cloud provider to inform you - it may not do so.
• when employing a cloud service, review terms and conditions clearly, understanding the end user license agreements.
There are a wide variety of tools available that enable organizations to take the above steps easily and quickly, without major disruption to their existing IT infrastructures. The bottom line is that leaving private cloud security out of an organization’s integrated strategy creates a major security gap, but if the right steps are taken, then businesses can leverage the advantages of cloud computing, safely and securely.