Traditionally data security was about having robust on-premises systems and software maintained by an in-house team. That’s changing. The non-profit industry group Cloud Security Alliance promotes advances in security using traditional models alongside web-based solutions.
Users are reassessing prior assumptions that the cloud is inherently less secure than on-premise data centers. This study of a billion actual threats observed by Alert Logic last fall found cloud-hosted environments are not inherently less secure than enterprise data centers, in fact web-supported systems looked at in the study showed fewer malware and web app attacks than enterprise systems, and about the same number of brute force attacks.
Are you prepared to answer questions on cloud security? Here are a few best practices Gartner and other security researchers have recommended:
- Consider security from the beginning of a project, not midway through, starting at the infrastructure before moving up to application layers.
- Start small, migrating email and Web servers to the cloud first. See how they operate and are secured before expanding to other applications.
- Evolve your security assessment regularly as your add more cloud apps to make sure there aren't any gaps or loopholes.
- Don't assume every cloud provider has the same set of security policies. Do your homework to determine which providers are compatible with your needs.
- Just like on-premise security, multiple approaches are required to secure cloud data. Examine your options for malware protection, firewalls and intrusion prevention devices.
- Education is a must. Be sure users understand how they are at risk and how they can practice safer cloud computing
Bob Longo, Executive VP of ClearPointe, a Little Rock, Ark.-based managed services provider that offers a variety of cloud-based services for its clients, said he's hearing more and more from people looking for multi-system approaches. "Clients have come to us with existing agreements in place with
Making Sure to Use What's Right for You
Industry experts say you have to be careful to make sure that the right mix of cloud and on-premise products are used. There are several resources available to get your started, including this planning guide from Intel and this whitepaper from Savvis. Both offer good advice on things to consider when planning a comprehensive strategy for integrating cloud support services, such as what steps to take and where your next attack might originate from.
"In smaller organizations, it might even be prudent to outsource more of your security infrastructure, as finding and training staff capable of properly configuring those systems may be more of a challenge," said Tony Maro, CIO for the White Sulphur Springs, West Virgina-medical records company EvriChart Inc.
In 2011, the software vendor RSA, the maker of SecureID and other security products, suffered a major security breach that has since been addressed, but at the time the incident potentially exposed companies around the world.
"RSA taught us you still need a contingency plan for when your security vendor is compromised," Maro said.
Monte Robertson, founder of Colorado-based Software Security Solutions, cautioned: "While businesses can operate in the cloud more efficiently with reduced IT staff and actually increase their levels of security, the cloud is not a good fit for everyone."
Robertson said companies must first make sure that real benefits are tied to cloud adoption.
"Moving business operations such as Active Directory or network file shares to the cloud is where you have to be very thorough on planning and implementation," he said. "These have to be carefully designed to provide good returns and the best user experience."
Keep in mind that you want the best tech match, given your existing staff and skills mix.
"The goal should be to outsource the technology, but not the security knowledge," Maro said. “Make sure that your staff understands the basics of what any security tech is actually doing, wherever it may be located."
