October 31, 2013 By Nataraj Nagaratnam 4 min read

Cloud is an opportunity for enhanced security

“A pessimist sees the difficulty in every opportunity; an optimist sees the opportunity in every difficulty.” – Winston Churchill

Security has been repeatedly quoted as a primary concern to cloud adoption. In other words, cloud’s worst nightmare. In a recent cloud computing usage survey, 65% mentioned security as the top obstacle to cloud adoption. But as enterprises start to adopt cloud, I start to see a change – once they look closely at what needs to be done, it becomes clear that all the best practices and policies they had to apply in traditional IT applies to cloud, and can actually move towards realizing that in cloud as well.

While adopting cloud technologies and services, enterprises businesses start to use SaaS applications and cloud services to engage with customers in innovative ways; their IT teams are optimizing their infrastructure by adopting computing capability from the cloud – so there is a continuum from private cloud to public clouds. At a recent IBM Cloud Innovation conference, Gartner analyst James Staten shared his views of how hybrid cloud is real today, which he captures in his blog:

“If you are planning for hybrid down the road, I have a wake up call for you. Too late, you are already hybrid.  If your company has even a single SaaS application in use today I can almost gurantee you it’s connected to something inside your data center giving you hybrid cloud. So hybrid isn’t a future state after you have a private cloud in place and IT Ops chooses to connect that private cloud to a public cloud. Look at it through the lens of a business process or application service which is composed of different components, some cloud-based, some on-premise. From an Infrastructure & Operations perspective, hybrid cloud means a cloud service connected to any other corporate resource (a back office app, your web site, your intranet, another SaaS app you have under contract and yes, even your private cloud). Any of these types of connections presents the same integration impact – whether you established the connection or not.

 

So the real question is how aware are you of these integrations and what are you doing about it? If they are being conducted below your radar, you better add investigating these connections to this week’s to-do list. Chances are you don’t have a clean consistent enterprise architecture in place for cloud integration. You probably aren’t funneling these connections through a standard integration mechanism. So there’s a good chance these connections aren’t being monitored or managed. There could certainly be security, compliance or data management issues at stake. You should quickly ascertain whether these connections are just read-only (best case). If they are read-write, what fields and data structures are they affecting? Are these connections secure, encrypted and stable? What level of impact are these connections having on the back office systems they are touching? Could performance or availability issues be on the horizon? Are these connections consistent with existing enterprise integration policies, such as canonical data models?

In my view, while this provides an opportunity to embrace cloud and innovate in the business, it provides an opportunity to re-assess and enhance security posture of an enterprise’s core valuable digital assets.”

5 Cloud Security Best Practices

We can actually benefit by leveraging cloud, because they now have access to people with security skills, technology that span traditional and cloud, and enhanced rigor in the governance processes. Same applies to adopting cloud. Based on our experience with many clients and enterprises who are adopting cloud, following are set of five best practices we find helps you re-assess your approach to cloud security:

  • Establish your security and risk posture – In a recent IBM Federal Cloud conference, one of the CIOs pointed out that when it comes to security “Need full visibility” and that has enabled him to be confident in adopting cloud ! This is consistent with what we hear from other CISO/CIOs as well.  So, getting intelligent about your security posture is important so that you know what you are up against, and what your security risks are. Enterprises do that by establishing a security intelligence program, enabling them to continuously monitor their security and risk posture.
  • Protect your data – What applications to move to cloud or what SaaS services to adopt, will also depend on what data you have to move to cloud. Customers are taking cautious approach in evaluating what applications to move, and how to secure the data. Given 98% of data security breaches happen around databases, you should apply data activity monitoring technology to gain visibility about access to data – from structured data bases, to unstructured systems, to  big data platforms. This is true for both data in traditional environments, as well as data in the cloud.
  • Know your user – Every transaction starts with a user. Verifying a users identity, and managing access based not only on who the user is, but also on what they are accessing and under what context. Talking about hybrid, the mature deployment and adoption continues to be around applying federated identity management technologies to address business needs, and user experience.
  • Gain assurance of your apps – Increasingly security attacks take advantage of vulnerabilities in apps, and attacks like SQL injection continues to be a weapon. Scanning applications and testing them for vulnerabilities as part of application development, and in production is needed to keep a healthy application environment. We are seeing this increasingly being part of the devOps process that is fundamental to cloud.
  • Protect against threats and fraud – Network level attacks continue, and intrusions should be prevented both at network level and application level. Also, increasingly users’s mobile and endpoint devices are compromised with malware, which in turn lead to hijacking users credentials and resulting in fraud. Effective combination of malware protection, endpoint management and mobile security should be put in place to mitigate threats and prevent fraud

Enterprises are adopting cloud to both optimize their infrastructure, as well as innovate around new ways to interact with their customers. While you go through this disruptive transition, I believe that cloud provides an opportunity to have enhanced security for your enterprise. What do you think?

More from Cloud Security

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

The compelling need for cloud-native data protection

4 min read - Cloud environments were frequent targets for cyber attackers in 2023. Eighty-two percent of breaches that involved data stored in the cloud were in public, private or multi-cloud environments. Attackers gained the most access to multi-cloud environments, with 39% of breaches spanning multi-cloud environments because of the more complicated security issues. The cost of these cloud breaches totaled $4.75 million, higher than the average cost of $4.45 million for all data breaches.The reason for this high cost is not only the…

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today