While business units are generally excited about the cloud, IT still has its reservations, which are largely tied to cloud security. When it comes to cloud-based communications, security can make or break an IT department, which is why choosing the right provider is one of the most important decisions to make. Here we examine the gap between the two groups and how to build IT confidence that they are getting the security they need in the cloud.
Mind the Gap Between Cloud Popularity and Cloud Adoption
The good news for the cloud is that its popularity is growing so much that it has business units excited about the benefits of a cloud initiative, especially those tied to financial gains and savings. And rightfully so, as many of those cost benefits will end up making them look good.
However, many IT groups don’t feel the same way - the use of cloud-based services means a potential loss of control, increased risk, and an aggressive shift in strategy. Also, should any security or privacy problems arise; the responsibility likely will fall back on the IT department.
A study from McAfee, Building Trust in a Cloudy Sky: The State of Cloud Adoption and Security, showed that while cloud initiatives encompass 80 percent of all IT budgets, just 23 percent of organizations completely trust the cloud to keep their data secure which can create a barrier to true cloud adoption.
Furthermore, the report states 60% of engineering firms they lack security skills, which is slowing down their cloud adoption plans. Despite that, 36% of all respondents report they are experiencing a scarcity of skills yet they are continuing with their plans anyway.
What Does it Mean to be Secure in the Cloud?
Whether you are a member of the business unit looking to sway IT, or if you are in the IT department, the truth is there is such thing as security in the cloud. Since much of the security responsibility in the cloud falls on the service provider, the selection process becomes crucial.
According to Gartner, “security in the cloud is a shared responsibility.” They recommend you follow these seven strategies for existing and planned utilization of the public cloud.
Gartner Recommendations for Ensuring Cloud Security
|Incorporate appropriate IAM||Incorporate appropriate IAM from the outset, ideally based on roles, especially for administration duties. Customers, not providers , are responsible for defining who can do what within their subscription.|
|Isolate data at rest with encryption||Providers have a vested interest in maintaining strong isolation between routine maintenance procedures and customer data, and between customers themselves. Encryption us a useful tool for creating logical isolation from other data center tenants, for enforcing classification policies and for ensuring digital shredding at end of life.|
|Segment and contain traffic with virtual network and filtering controls||For IaaS, segment and contain network traffic using the provider's virtual network and filtering controls as a minimum. Subnets within virtual private clouds can declare whether instances have Internet, virtual private networks (VPN) or no external access at all. Network access control lists also define permitted and blocked inbound and outbound traffic.|
|Establish a security control plane||Use third party tools to establish a security control plane to achieve better visibility, data security, threat protection, and compliance - as well as to automate security configurations.|
|Take full responsibility for application and instance security||Providers take no responsibility for the security of application code that customers develop and run in clouds. Use static and dynamic testing tools to identify and remove application vulnerabilities. For cloud-based workloads, consider using cloud-based testing tools.|
|Backup all data in a distinct fault domain||To spread risk most effectively, back up all data in a fault domain distinct from where it resides in production. Some cloud providers offer backup capabilities as an extra cost option, but it isn't a substitute for proper backups. Customer, not cloud providers, are responsible or determining appropriate strategies, as well as maintaining backups.|
|Investigate potential of being "compliant by inclusion"||Many larger providers routinely undergo various compliance audits, which serve as signals to customers indicating the seriousness with which providers regard security. Leverage the benefit of being "compliant by inclusion" by incorporating the provider's published attestations into your own.|