Blogs

Are You Using Cloud Securely?

Sun 21 July 2019, telkomtelstra

For today’s CIOs, security is top of mind when thinking about Cloud Computing. Security has become one of the main concerns for CIOs and IT managers when developing and running their organization. However, the IT and marketing departments tend to view the cloud application systems differently. The marketing team has always thought of the output (what’s the end result), along with the simplification process and also the convenience of its usage. In contrast to the IT team, whose priority is firstly security, followed by duration of the application system development, whether the proposed is comparable with the expected result, how to maintain the system and how the application system can be integrated into or transitioned from the existing system.

One of the weaknesses of cloud security is undoubtedly the users themselves. Gartner predicts, that by 2020, 95% of cloud security failure will be due to user error. So importantly, cloud security is not always about maintaining security in system, but about maintaining security within the user base. Most users, in fact, are not aware of the security risks they create, when using cloud systems and most don’t take into account how important or sensitive the data is they store in the cloud. Consequently, organisations who run platforms like Google Drive, DropBox, iCloud, OneDrive are required to pay extra attention to cloud security.

That said, it’s not always the customer’s fault when cloud security is breached. Of particular note, is the iCloud case of 2014 where their system was hacked, causing a significant amount of customer data to be compromised. Whilst this was not the first time a cloud provider was hacked, the concern is if there are many first class cloud providers like Apple, Microsoft, and Amazon, that can be hacked, how secure is your cloud?

Private cloud – SaaS and IaaS can be a solution for minimizing risk within your cloud offering. IaaS and SaaS require specialised security, governance, management and different tools to ensure visibility and control at every service level established. The organization’s strategy for the use of cloud should address that the different cloud models have different risks and controls.

Organisations should ensure that cloud computing is placed through strict planning and policy procedures. On developing cloud strategy, there needs to guidance on what data can be accessed from the public cloud, based on sensitivity level and what data should be stored in a private cloud, such as more personal and commercial data, which requires a higher the level of security. If organisations continue to use public cloud, choosing the right cloud providers and the right data to upload needs to be considered carefully.

IaaS governance and control require architectural, programming, testing, implementation and change control processes. The basic framework of this management model is very similar to the processes and expertise required in traditional IT management, with an understanding and overlay of cloud security technology, including specific expertise to manage security risks.

Contrary to SaaS, where the technology relies on the service provider to manage risks, which means SaaSgovernance on security needs to be grounded in establishing policy and encouraging compliance with the policy, such as account creation, password maintenance, data access policies, and monitoring of activities.

On the flip side, IaaS systems can be complex because the workload can expand without limit and SaaS becomes complex because of the many providers and external applications, leaving the IT team to align all SaaSapplications into a single IT environment.

SaaS may be more difficult to control than IaaS, because applications can originate from multiple vendors with different features and abilities and different weak spots. There is also no single control on all SaaS applications, leaving some organization to use Cloud Access Security Brokers (CASB), as a governance mechanism. CASBs monitor the control point of weak spots, providing a convenient point of control for managing common policies across multiple SaaS applications – and a single point for monitoring for user activity and usage.

According to Gartner, by year-end 2018, 50% of organizations with more than 2,500 users will use a cloud access security broker (CASB) product to control SaaS usage, from less than 5% today.

Apart from CASB, when it’s time to evaluate your cloud service providers, be sure to ask these questions:
1. What are your data privacy policies?
2. How do you enforce those various policies?
3. Is security covered in your SLAs? If not, why not?
4. Is your data backed up and can it be recovered?
5. How do you segregate your data from others?
6. What kind of visibility will you have into your data logs?

Once you have ensured your cloud provider has the necessary security protocols in place, you can concentrate on using your cloud services – across your IT or other business operations, to support you in achieving your business outcomes.