September 28, 2016 By Jay Choi 3 min read

There are clear benefits to adopting cloud services, such as improved availability and cost optimization. Cloud also offers an opportunity to update legacy systems and processes that may have been on the risk register for a long time with no clear mitigation strategy in place.

Common Misconceptions About Cloud Security

IDC predicted more than 80 percent of enterprise IT organizations will implement hybrid cloud architectures by 2017. IT executives remain concerned about operating model changes, however, and many are wary of the perceived security challenges and increased operational complexity of cloud solutions.

Below are some common misconceptions related to cloud adoption.

Cloud Computing Is Less Secure

This should not be the case if done correctly. Security risks vary depending on the deployment model, but a clear assignment of ownership and accountability between the organization and the cloud service provider (CSP) can provide adequate security for the migrated workloads. The homogeneous operations and management practices applied by CSPs in their IT and operating environments can actually improve your security posture.

Cloud Security Is Too Complex

Cloud security poses a new challenge since it is managed as an extension of the current controls environment. However, a comprehensive security framework can prioritize areas of control enhancement and inform investment decisions. Added focus on data security and privacy may compound the complexities from a compliance perspective.

Cloud Security Is Difficult to Maintain

Many IT professionals are concerned about transparency and assurance. Establishing strict governance backed by metrics and enforceable service-level agreements (SLAs) can assist in measuring a CSP’s performance.

Frequently Asked Questions

Taking the first step on a journey to cloud adoption can be daunting. Some common questions to ask at the beginning of this process include:

Which Framework Do We Use?

Multiple standards are available, each with different benefits, depending on circumstances and the environment. It is critical to establish a comprehensive cloud security controls framework that leverages industry best practices and aligns with the organization’s risk appetite.

It is also important to recognize key sets of security controls and delineate roles and responsibilities clearly. This will drive performance measurement against the SLA if the CSP is appointed as a vendor.

What Are the Regulatory Implications?

Cloud offers a new set of challenges in terms of data transfer and protection, especially with new regulations coming down the pipeline. The European Union’s General Data Protection Regulation (GDPR), which will take effect in May 2018, adds to the list of concerns. To remain secure and compliant, organizations need a holistic view of the regulatory landscape.

Will I Have Full Access to the CSP’s Security Environment?

Typically, this is not the case, but some CSPs provide more security transparency than others. This should be clearly identified as part of the vendor due diligence phase. Transparency requirements must be satisfied before agreeing to the vendor’s terms and conditions.

What Workloads Can I Put on the Cloud?

This depends. Some organizations experience scope creep in cloud adoption, leading to the unplanned migration of more sensitive workloads onto cloud and negligence of the initial security principles. Such issues must be monitored to avoid a mismatch of expectations.

Where Do I Start?

Security needs to be at the heart of your cloud strategy and design. An effective cloud strategy must match the workload with the appropriate controls framework to provide assurance and protection. This approach ensures that the security capabilities offered and managed by the CSP align with the organization’s risk appetite. The framework should also consider regulatory, legal and compliance requirements that are relevant to the organization.

A Dynamic Framework

IBM utilizes a unique cloud security framework that breaks down the domains into eight categories: governance, metrics, cloud security optimization, data security, application security, network and system security, secure operations, and identity and access management.

Security teams can use governance and metrics to measure and audit the security capabilities in place. The domains consist of cloud-centric categories as well as business-as-usual security. For these domains, fundamental changes relate to maturity in service integration and the manner in which roles and responsibilities are defined within a clear ownership structure.

Conclusion

A successful transition requires a clearly defined cloud security strategy. That strategy should identify the target state and provide prioritized road map considerations that may lead to a consolidation of cloud activities within the organization.

A paradigm shift in operating models comes with many challenges. By clearly defining the workload sensitivity and controls framework, security teams can enable efficiency, agility and trust when it comes to cloud security.

Watch the on-demand webinar: Demystifying Cloud Security Transformation

More from Cloud Security

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Cloud threat report: Possible trend in cloud credential “oversaturation”

3 min read - For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand.A recent X-Force Cloud Threat Landscape Report has shed light on this fact, revealing a new trend in the average prices for stolen cloud access credentials. Since 2022, there has been a steady decrease in market…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today