8 Steps to Make Your Business Cloud Secure
Every day companies face the problem of streamlining and protecting their data storage. Cloud platforms and solutions provide the fertile ground for easier IT management, cost cuts, better flexibility and scalability. Moreover, there are what’s considered to be three leading trends driving global cloud adoption, namely the Internet of Things, growing data volumes and the software defined data center. Yet, as the Ubuntu Cloud Survey states, security and privacy are major barriers to cloud adoption (34 percent). Along with the acknowledged benefits of the cloud technology, comes the stereotyped fear of insecurity. But is it really so? Are on-premise servers and storage appliances with all their walls, guards, alarm systems more protected from external forces than the cloud?
Cloud Solutions are Actively Being Used and Complied with Standards
As Working Links CIO Omid Shiraji says, “cloud is becoming such an acceptable way of delivering IT that many of the security fears associated to holding data externally are beginning to dissipate”. In 2014, more than 75 percent of enterprises turned to the cloud. 55.7 percent of respondents expect their companies to use cloud services considerably more in the next 12 months. Corporate usage of cloud services is obviously on the grow.
If you still feel insecure when thinking about running your business in the cloud, watch this: the Defense Department is moving its data to the cloud, for the same commonly cited reasons of cost reduction, technical efficiencies, and security considerations. Even they believe that commercial companies will succeed in meeting the DoD’s security requirements for nonsensitive data. Whilst more of such important announcements are made, “the national cyber bar [is] coming up”, as the CIO Terry Halvorsen says. It’s certainly hard to argue with that.
Tech giants try to provide the user society with their own sets of tools, platforms, and application for making the best of cloud computing. IBM has recently announced its cloud-based program called “Identity Mixer”. It allows users to choose which information they want to share, and with whom. According to Christina Peters, IBM chief privacy officer, “now web service providers can improve their risk profile and enhance trust with customers, and it’s all in the cloud making it easy for developers to program.” With the top three issues worrying executives, that is the privacy of personal data, potential legal risks, and loss of intellectual property, authentication without identification is a breakthrough in cloud technology.
Indeed the go-ahead was given for creating cloud environments, in which getting access to the needed resources and managing them, do not require revealing personal data. In this connection, last week the International Standards Organization proposed a new standard of data privacy in public clouds designated ISO/IEC 27018, enabling customers maintain control of “personally identifiable information” and in the meantime, deal with data breaches. It’s considered to be “the first voluntary international standard around business-to-business cloud computing services.” To comply with the standard, cloud providers will have to be the most transparent; for instance, they will not be able to use customers’ personal information for marketing and advertising purposes without their consent.
The US government in turn has its own program, called FedRAMP, to “provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services”. Compliance with the certification requires cloud services to meet their security standards in order to be adopted by federal agencies. A relatively short list of the lucky few certified companies include Akamai, AT&T, HP, IBM, Lockheed Martin, Microsoft, Oracle, Salesforce, Verizon, QTS and (since February 4)VMware.
What You Should Do to Make Your Public Cloud a Safe Place
Whether you are a large company with well-established business processes, or a small startup just dipping a toe in the waters, to make your cloud presence secure, several important steps should be taken.
1) With the workloads deployed into the cloud, your business requires only the right people having access to the cloud sensitive data. According to a report by Cloud Security Alliance, the top causes of accidental insider breaches include phishing attacks (49 percent), data copied to insecure devices (44 percent), accidental deletion or modification of critical data (41 percent) and use of prohibited personal devices. Even the FBI warned that “disgruntled and former employees pose a significant cyber threat to US businesses.” So it’s mostly people, not the technology becoming a cause for data security concern.
2) The latest study by SolarWinds further proves the point. More than half of federal IT professionals (53 percent) say “careless and untrained” insiders are the greatest source of IT security threats. To avoid the danger, you might want to implement a cloud security awareness training program, as 22 percent of organizations already have.
3) Apart from that, you should consider decent funding for data security. Lots of businessmen believe that hacking or other security threats can pass by, but actually insurance policy is a must for a healthy business operation. At the stage of consideration, companies are not able to see the return on investment for security, which may cause a slight carelessness on their part, and therefore future harmful data losses. Despite the full consciousness of the risk, companies still spent only 3.8 percent of their overall IT budget on information security needs. In many cases, budget constraints are the most significant obstacle to maintaining or improving IT security. With that in mind, you should assess the risks and build a suitable funding strategy for your cloud protection.
4) Should your data be lost due to security failures, you would benefit from an exceptional backup system. You need to have a clear data recovery strategy, because with being proactive in protecting cloud data, you won’t fail the standard compliance. Such regulations as Federal Information Systems Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Basel II etc., dictate that information must be kept and available for a period, therefore you should have an efficient backup solution in the event of something happening to it. In fact, 60 percent of data loss cases are caused by the lack of a fully documented DR (Data Recovery) plan. This document can be received from your provider and should contain some of the following criteria: Mechanisms of emergency identification, classification, sustainable emergency duration, proper responses to emergency, remedial actions, report messages to customers, etc. To be sure that your data will definitely be restored in case an outage does occur, back it up on several sources. In doing so, you will avoid the havoc involving server sabotage, replicating data or irreparably destroyed information.
5) Unique passwords for accounts are a cliché, but still an existential headache that lots of businesses have. In 2014, the world experienced a shameful release of celebrity photos, Dropbox accounts hack and other high-profile cloud attacks with weak passwords being the major cause of it. The thing is that the vast majority of people have too many apps and services to log in. This practically forces them to use the same password over and over again. As many as 89 percent of ex-employees retained at least one login and password from their former employer. Moreover, 76 percent of network intrusions are caused by weak or stolen passwords. The best policy seems to be using special tools for creating strong passwords, having a single sign-on portal and activating two-factor authentication, when specific answers to additional questions or other information are required.
6) Additionally, the crucial part is to find the right provider that will meet specific business requirements of yours. A range of things should be considered. Since there are no “one-size-fits-all” solutions, you may need a well-known provider, certified to multiple different national and international security standards or a startup with core expertise in disaster recovery. Whatever suits you the best.
7) When moving your apps into the cloud, you should understand that the cloud itself won’t automatically protect all the data. With the cloud infrastructure providing a strong level of security protection, the deployed applications also need to meet proper security constraints. Therefore they must be tested and assessed on the regular basis. The process usually includes a purposeful causing of a component or software failure in the architecture in order to observe the system’s response and see whether other clusters are damaged. Start small by running a few proof-of-concept tests before you get to the entire company database. To identify possible breaches, an effective cloud security threat assessment model is of utmost importance. It will constantly break the security measures, with the goal of strengthening the system more and more.
8) Finally, you should systematically review the terms of service agreements with your provider. When familiarizing yourself with the terms and policies becomes a routine, you stay on top of things. If there is even a chance you might lose your data over some changes the provider is making, you will have enough time to prepare or even turn to another provider, and prevent the irreparable harm which data losses can do to your business.
It’s now clear that you are at a competitive disadvantage if you don’t adopt cloud technology. And no doubt data security will remain on the top of the agenda. Today more and more companies and apps are operating in the cloud. Importantly, the security bar is expected to rise, with more cloud platforms, programs and solutions flooding the market. So there is no need to be afraid when moving your business to a cloud. Find a suitable solution and take the needed precautions. In fact, 94 percent of managers say their business’ security has improved after adopting cloud applications. It’s time you gave it a go.