Almost daily, we hear of another breach of corporate digital security. No one wants to be the next cyber-attack headline, particularly if you’re a company that’s built its business on databases full of digital information. But when an enterprise stores its data in locations beyond its boundaries, its IT leaders lose some control of the entry points to their information assets.
Multitenant architectures popularized by the cloud complicate security by sharing infrastructure with other unknown organizations that must be assumed to be untrustworthy. Though government programs and industry consortiums have created some governance around cloud security, and President Obama has unveiled proposed legislation to improve consumer privacy, boost cybersecurity and prevent identity theft, it is still up to an enterprise to employ the necessary tools and tactics to protect its customers when operating in the cloud.
First of all, a company should never approach cloud security as a “one-size-fits-all” proposition. Security issues vary significantly depending on the service model (Infrastructure-as-a-Service, Platform-as-a-Service or Software-as-a-Service), on the delivery model (private, community, public or hybrid) and even on the specific service provider selected. Two providers that offer, say, payment card industry (PCI) compliant infrastructure may claim vastly different amounts of responsibility for making sure the implementation is secure, leaving more or less of it on the shoulders of the enterprise. Even the definition of cloud may differ greatly from one provider to another.
When moving applications to the cloud, trade-offs abound, some of which involve security. If an enterprise uses public IaaS, for example, it will likely need to accept a generic, highly standardized service that may be in compliance with industry and government regulations and standards but isn’t flexible enough to meet the specific security requirements of the enterprise client or allow the enterprise to perform audits and penetration tests that it would normally require. While a private, on-premises solution may not have these same limitations, it also may not provide the level of elasticity or cost savings that a public solution would. Large, complex systems will often be hybrid deployments that require new levels of sophistication to properly secure.
It is critical, then, that a company selecting a cloud service provider evaluate security before deciding to do business, at least to the extent that it can. Integration with internal IT security is crucial since the touch points between the client’s infrastructure and the provider’s in a hybrid solution can create numerous vulnerabilities and require thorough testing. Most providers should be very accustomed to answering security questions and be able to provide a great deal of information on what they can and cannot do to keep a client’s data and systems secure.
A good cloud strategy always begins with an application-centric assessment of fit for purpose, which must prioritize security requirements. Some applications will benefit greatly from public cloud and present little real security risk to the organization. These applications represent the best opportunities for a company to get its feet wet and learn as it goes the hidden limitations of the provider’s security. IT and business leaders should not be reluctant to hit the stop button on a cloud project if they learn something critical that they missed in their initial evaluation. A lot depends on these decisions.
Too many organizations assume that doing business with a cloud provider automatically shifts all of the security responsibilities to the provider, which is clearly not the case. Contracting with a cloud provider does move some of the responsibility, but not all, and it may even create new areas of concern. A control console or “orchestration layer” that can bring data center resources up and down with a few mouse clicks represents a new and substantial risk because it is a single point of control, and that means that it must be addressed through new policies and procedures and possibly by shifting the security investment. Right now there are a great number of options in the marketplace that promise efficient and effective control over vast infrastructure resources, but when a company puts this many eggs into one basket, security must be critical to evaluation, and a company’s procedures must be adapted to these new solutions as they come on line.
In the final analysis, there is no such thing as a 100 percent secure enterprise. Leaders must identify and rank their security risks, allocate funds appropriately and spend what they need to close the vulnerabilities that could hurt them the most. This will always involve trade-offs. The key to success in this ever-changing environment is keeping up with what those trade-offs are.
Contact us to find out how ISG can help.
