How Secure is Your Cloud Infrastructure?
Alex Peters, CISSP and Manager in the Technology Sales Organisation at Symantec, argues that unless appropriate action is taken, the uncontrolled shift of corporate data into the cloud will have major repercussions for organisations everywhere.
One call, one credit card, one transaction. That’s all it takes now for someone in your company to engage with a cloud service provider (CSP) and launch a new cloud service. Everyone is at it—your engineering teams might be deploying Amazon Web Services right now to support a new R&D project, while the sales team are setting up a salesforce.com subscription to underpin a new sales initiative, or field service reps are using a new private cloud app for case management.
Great news, you might be thinking, and the ideal response to these recessionary times: here we have an innovative path to improving business agility, increasing productivity, and remaining competitive, while keeping capex costs under control. Almost everyone in the organisation would agree with this notion…except maybe one. For the chief information security officer (CISO) or equivalent person responsible for maintaining information security, the gradual shift in critical, confidential corporate data to the cloud strikes fear into their hearts.
All of a sudden, the most valuable commodity in the business—data—is no longer under their control. Alarm bells begin to ring concerning identity and access control, information security, and information management. More people accessing more cloud applications means more users, more identities, and more data for the CISO to protect. Users may be putting up sensitive data into the cloud—confidential emails, sales proposals—that you don’t want up there; and they may be using private clouds the CISO doesn’t even know about.
Moreover, the approach inevitably falls short of a company’s corporate compliance and data governance requirements. Many web services such as Office 365, for example, only require a simple user name and password: once these simple safeguards are breached, your confidential sales, R&D, of customer information could be leaking outside of the business in seconds.
So what’s the answer? How can the organisation keep users productive in the cloud while keeping control? I would argue that the first step has to be creating awareness among the users. Right now, too many users think about the benefits of using a CSP first, and the security implications later—often when it is too late. Users need to be more aware from the outset about the hazards ahead, including the danger of data not being encrypted and the risks of data loss and leakage.
Awareness will not cure all ills though. As the adoption of cloud services remains fragmented in the organisation, you need to consider other, more innovative and holistic means of protecting the cloud and the way your staff interact with CSPs. For example, you might consider creating a single, secure access point for the cloud—one that enables you to apply consistent identity and information security across all your cloud services and devices.
This access point introduces multiple layers of protection for the cloud, such as identity and access control, information security, and information management. The access control layer, for instance, provides single sign-on and identity brokering to ensure strong authentication and proper control over access to the cloud services. And the information security layer employs data loss prevention and encryption to block and encrypt your confidential information before it is stored in the cloud.
Security cannot be an impediment to the adoption of cloud services. However, since we don’t own or control the infrastructure that cloud-based services are delivered from, there is an increasing need to inject security policy such as identity mapping, encryption and access control between users and the CSPs cloud-based services.
Let’s capitalise on the value of CSPs, but let’s also keep it all under control.