As enterprises shift to hybrid cloud platforms it is easy for the security stance of the organisation change without anyone really noticing.
It is vital that basic security procedures are followed for every step of the process and for every part of the business’s infrastructure. There is no reason for the cloud to be inherently insecure or risky, as long as you do not forget the basics of IT security.
The complexity of hybrid platforms make it essential that proper automated management tools are put in place. This will allow you to track exactly where data and crucial applications are stored and what protections and back-ups are in place.
For larger companies this plays two vital roles.
Firstly it gives you a strong foundation on which to build a secure platform but secondly it provides a necessary first step for ensuring compliance. Cloud platforms don’t just need to be secure for many industries they also need to be able to prove they are secure.
What are the threats?
The most often cited threat is still the data breach. With zero day exploits being shared and distributed ever more quickly staying on top of threat intelligence is a big challenge. But a bigger problem is that sharing information on attacks often comes very late in the security response. In some countries a company’s ability to share details is even restricted by law.
The Cloud Security Alliance is leading calls to improve information sharing by setting up the Cloud Cyber Incident Sharing Center, or Cloud-CISC. This aims to enable companies to quickly and easily share cyber threats to speed up early warning systems. It also provides a way for organisations to collaborate on defending against new attacks and expanding expertise across the industry.
Of course the data breach is a threat for the traditional data centre just as much as for a cloud service.
This highlights the importance of getting the basics of cyber security in place first. Staff still need to be trained, operating systems need to be kept up to date and patches applied. Malicious insiders remain a risk where ever your corporate data is stored.
But there are some risks which are specific to the cloud or potentially more dangerous in cloud environments.
The first of these, as identified by the CSA, is identity and access management. It is likely that your organisation has quite mature procedures in place to protect access to the data centre and to crucial enterprise applications.
Shifting to the cloud leaves the potential for wider access via remote access to key systems. None of this is rocket science but a shift to the cloud requires proper multi-factor authentication to keep the organisation secure but given the weaknesses of passwords it should be considered as a useful part of a broader IT security strategy. It can also stop social engineering attacks which remain a real threat to password integrity.
The second threat is more specific to cloud applications. Cloud services rely on Application Programming Interfaces to allow communication between client devices and software and between different parts of the software stack.
This provides another doorway for hackers to get through in order to access data and applications.
Keeping APIs secure means ensuring proper testing of code before it is released. It requires adoption of secure coding and development processes and careful security testing. There are several open source models which can help strengthen API security along with HPE’s Fortify portfolio.
Intelligent security software which monitors activity on the network can also identify compromised APIs before the bad guys can take advantage.
Thinking strategically about cloud security
It might seem obvious but moving to the cloud does not do away with the need to take due diligence and think about the security impact of any new arrangement.
The temptation is to think that you are outsourcing all the security risks when you shift to the cloud.
But really the risk remains yours, especially if you do not choose your cloud partners carefully.
You need to think about uptime and the impact of losing access to cloud based services. Even a cursory look at the technology news will show you that even the best services do have problems. Choosing the best partner is not enough. You also need to have a plan B and consider the impact of prolonged downtime on the organisation. Having an alternative platform should not just be theoretical you should test switching systems on a regular basis.
Back-up systems and databases are no use on their own – they need to be instantly accessible to the rest of the enterprise’s applications.
Equally switching to a cloud provider does not end your responsibility to ensure your data is complying with relevant legislation. This is especially tough right now with shifting rules as the UK exits the European Union. But you need to know where your partner will be storing data and under which set of data protection rules.
The General Data Protection Regulations, just a few months away now, will create hefty new penalties for getting this wrong.
Telling the future of clouds
Choosing a cloud partner is difficult. Knowing what your chosen partner will look like in three or five years time is even harder.
Beyond making the very best decision now, for what will be a very close business relationship, you also need to think about what happens if the relationship ends.
The aims of your business might be perfectly in line with those of a chosen supplier today. But supplier focus changes and so can the needs of your business.
Look closely at service level agreements and contracts to ensure you can end the partnership and easily and quickly get your data and applications shifted to an alternative platform as required.
Cloud strategy is not really very different from broader technology strategy. Keeping it secure means choosing the right partners, the right management tools and staying abreast of the evolving threat landscape.
There is an excellent introduction to dealing with these issues on the HPE website here:
You can also get help from the Cloud Security Alliance, here:
https://cloudsecurityalliance.org