October 31, 2013 By Nataraj Nagaratnam 4 min read

Cloud is an opportunity for enhanced security

“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” – Winston Churchill

Security has been repeatedly quoted as a primary concern to cloud adoption. In other words, cloud’s worst nightmare. In a recent cloud computing usage survey, 65% mentioned security as the top obstacle to cloud adoption. But as enterprises start to adopt cloud, I start to see a change – once they look closely at what needs to be done, it becomes clear that all the best practices and policies they had to apply in traditional IT applies to cloud, and can actually move towards realizing that in cloud as well.

While adopting cloud technologies and services, enterprises businesses start to use SaaS applications and cloud services to engage with customers in innovative ways; their IT teams are optimizing their infrastructure by adopting computing capability from the cloud – so there is a continuum from private cloud to public clouds. At a recent IBM Cloud Innovation conference, Gartner analyst James Staten shared his views of how hybrid cloud is real today, which he captures in his blog:

“If you are planning for hybrid down the road, I have a wake up call for you. Too late, you are already hybrid.  If your company has even a single SaaS application in use today I can almost gurantee you it’s connected to something inside your data center giving you hybrid cloud. So hybrid isn’t a future state after you have a private cloud in place and IT Ops chooses to connect that private cloud to a public cloud. Look at it through the lens of a business process or application service which is composed of different components, some cloud-based, some on-premise. From an Infrastructure & Operations perspective, hybrid cloud means a cloud service connected to any other corporate resource (a back office app, your web site, your intranet, another SaaS app you have under contract and yes, even your private cloud). Any of these types of connections presents the same integration impact – whether you established the connection or not.

 

So the real question is how aware are you of these integrations and what are you doing about it? If they are being conducted below your radar, you better add investigating these connections to this week’s to-do list. Chances are you don’t have a clean consistent enterprise architecture in place for cloud integration. You probably aren’t funneling these connections through a standard integration mechanism. So there’s a good chance these connections aren’t being monitored or managed. There could certainly be security, compliance or data management issues at stake. You should quickly ascertain whether these connections are just read-only (best case). If they are read-write, what fields and data structures are they affecting? Are these connections secure, encrypted and stable? What level of impact are these connections having on the back office systems they are touching? Could performance or availability issues be on the horizon? Are these connections consistent with existing enterprise integration policies, such as canonical data models?

In my view, while this provides an opportunity to embrace cloud and innovate in the business, it provides an opportunity to re-assess and enhance security posture of an enterprise’s core valuable digital assets.”

5 Cloud Security Best Practices

We can actually benefit by leveraging cloud, because they now have access to people with security skills, technology that span traditional and cloud, and enhanced rigor in the governance processes. Same applies to adopting cloud. Based on our experience with many clients and enterprises who are adopting cloud, following are set of five best practices we find helps you re-assess your approach to cloud security:

  • Establish your security and risk posture – In a recent IBM Federal Cloud conference, one of the CIOs pointed out that when it comes to security “Need full visibility” and that has enabled him to be confident in adopting cloud ! This is consistent with what we hear from other CISO/CIOs as well.  So, getting intelligent about your security posture is important so that you know what you are up against, and what your security risks are. Enterprises do that by establishing a security intelligence program, enabling them to continuously monitor their security and risk posture.
  • Protect your data – What applications to move to cloud or what SaaS services to adopt, will also depend on what data you have to move to cloud. Customers are taking cautious approach in evaluating what applications to move, and how to secure the data. Given 98% of data security breaches happen around databases, you should apply data activity monitoring technology to gain visibility about access to data – from structured data bases, to unstructured systems, to  big data platforms. This is true for both data in traditional environments, as well as data in the cloud.
  • Know your user – Every transaction starts with a user. Verifying a users identity, and managing access based not only on who the user is, but also on what they are accessing and under what context. Talking about hybrid, the mature deployment and adoption continues to be around applying federated identity management technologies to address business needs, and user experience.
  • Gain assurance of your apps – Increasingly security attacks take advantage of vulnerabilities in apps, and attacks like SQL injection continues to be a weapon. Scanning applications and testing them for vulnerabilities as part of application development, and in production is needed to keep a healthy application environment. We are seeing this increasingly being part of the devOps process that is fundamental to cloud.
  • Protect against threats and fraud – Network level attacks continue, and intrusions should be prevented both at network level and application level. Also, increasingly users’s mobile and endpoint devices are compromised with malware, which in turn lead to hijacking users credentials and resulting in fraud. Effective combination of malware protection, endpoint management and mobile security should be put in place to mitigate threats and prevent fraud

Enterprises are adopting cloud to both optimize their infrastructure, as well as innovate around new ways to interact with their customers. While you go through this disruptive transition, I believe that cloud provides an opportunity to have enhanced security for your enterprise. What do you think?

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today