October 31, 2013 By Nataraj Nagaratnam 4 min read

Cloud is an opportunity for enhanced security

“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” – Winston Churchill

Security has been repeatedly quoted as a primary concern to cloud adoption. In other words, cloud’s worst nightmare. In a recent cloud computing usage survey, 65% mentioned security as the top obstacle to cloud adoption. But as enterprises start to adopt cloud, I start to see a change – once they look closely at what needs to be done, it becomes clear that all the best practices and policies they had to apply in traditional IT applies to cloud, and can actually move towards realizing that in cloud as well.

While adopting cloud technologies and services, enterprises businesses start to use SaaS applications and cloud services to engage with customers in innovative ways; their IT teams are optimizing their infrastructure by adopting computing capability from the cloud – so there is a continuum from private cloud to public clouds. At a recent IBM Cloud Innovation conference, Gartner analyst James Staten shared his views of how hybrid cloud is real today, which he captures in his blog:

“If you are planning for hybrid down the road, I have a wake up call for you. Too late, you are already hybrid.  If your company has even a single SaaS application in use today I can almost gurantee you it’s connected to something inside your data center giving you hybrid cloud. So hybrid isn’t a future state after you have a private cloud in place and IT Ops chooses to connect that private cloud to a public cloud. Look at it through the lens of a business process or application service which is composed of different components, some cloud-based, some on-premise. From an Infrastructure & Operations perspective, hybrid cloud means a cloud service connected to any other corporate resource (a back office app, your web site, your intranet, another SaaS app you have under contract and yes, even your private cloud). Any of these types of connections presents the same integration impact – whether you established the connection or not.

 

So the real question is how aware are you of these integrations and what are you doing about it? If they are being conducted below your radar, you better add investigating these connections to this week’s to-do list. Chances are you don’t have a clean consistent enterprise architecture in place for cloud integration. You probably aren’t funneling these connections through a standard integration mechanism. So there’s a good chance these connections aren’t being monitored or managed. There could certainly be security, compliance or data management issues at stake. You should quickly ascertain whether these connections are just read-only (best case). If they are read-write, what fields and data structures are they affecting? Are these connections secure, encrypted and stable? What level of impact are these connections having on the back office systems they are touching? Could performance or availability issues be on the horizon? Are these connections consistent with existing enterprise integration policies, such as canonical data models?

In my view, while this provides an opportunity to embrace cloud and innovate in the business, it provides an opportunity to re-assess and enhance security posture of an enterprise’s core valuable digital assets.”

5 Cloud Security Best Practices

We can actually benefit by leveraging cloud, because they now have access to people with security skills, technology that span traditional and cloud, and enhanced rigor in the governance processes. Same applies to adopting cloud. Based on our experience with many clients and enterprises who are adopting cloud, following are set of five best practices we find helps you re-assess your approach to cloud security:

  • Establish your security and risk posture – In a recent IBM Federal Cloud conference, one of the CIOs pointed out that when it comes to security “Need full visibility” and that has enabled him to be confident in adopting cloud ! This is consistent with what we hear from other CISO/CIOs as well.  So, getting intelligent about your security posture is important so that you know what you are up against, and what your security risks are. Enterprises do that by establishing a security intelligence program, enabling them to continuously monitor their security and risk posture.
  • Protect your data – What applications to move to cloud or what SaaS services to adopt, will also depend on what data you have to move to cloud. Customers are taking cautious approach in evaluating what applications to move, and how to secure the data. Given 98% of data security breaches happen around databases, you should apply data activity monitoring technology to gain visibility about access to data – from structured data bases, to unstructured systems, to  big data platforms. This is true for both data in traditional environments, as well as data in the cloud.
  • Know your user – Every transaction starts with a user. Verifying a users identity, and managing access based not only on who the user is, but also on what they are accessing and under what context. Talking about hybrid, the mature deployment and adoption continues to be around applying federated identity management technologies to address business needs, and user experience.
  • Gain assurance of your apps – Increasingly security attacks take advantage of vulnerabilities in apps, and attacks like SQL injection continues to be a weapon. Scanning applications and testing them for vulnerabilities as part of application development, and in production is needed to keep a healthy application environment. We are seeing this increasingly being part of the devOps process that is fundamental to cloud.
  • Protect against threats and fraud – Network level attacks continue, and intrusions should be prevented both at network level and application level. Also, increasingly users’s mobile and endpoint devices are compromised with malware, which in turn lead to hijacking users credentials and resulting in fraud. Effective combination of malware protection, endpoint management and mobile security should be put in place to mitigate threats and prevent fraud

Enterprises are adopting cloud to both optimize their infrastructure, as well as innovate around new ways to interact with their customers. While you go through this disruptive transition, I believe that cloud provides an opportunity to have enhanced security for your enterprise. What do you think?

More from Cloud Security

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Risk, reward and reality: Has enterprise perception of the public cloud changed?

4 min read - Public clouds now form the bulk of enterprise IT environments. According to 2024 Statista data, 73% of enterprises use a hybrid cloud model, 14% use multiple public clouds and 10% use a single public cloud solution. Multiple and single private clouds make up the remaining 3%.With enterprises historically reticent to adopt public clouds, adoption data seems to indicate a shift in perception. Perhaps enterprise efforts have finally moved away from reducing risk to prioritizing the potential rewards of public cloud…

AI-driven compliance: The key to cloud security

3 min read - The growth of cloud computing continues unabated, but it has also created security challenges. The acceleration of cloud adoption has created greater complexity, with limited cloud technical expertise available in the market, an explosion in connected and Internet of Things (IoT) devices and a growing need for multi-cloud environments. When organizations migrate to the cloud, there is a likelihood of data security problems given that many applications are not secure by design. When these applications migrate to cloud-native systems, mistakes in configuration…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today