In today’s digital landscape, majority of an organization’s data is stored electronically; in fact a lot of organizations have started moving towards cloud technology to store data. Cloud computing over years has rapidly grown into a significant delivery method for IT besides being a key enabler for business development around the world. It offers cost reduction, scalability and certain additional service offerings like broad network access, resource pooling, on demand self-service among others. Cloud has redefined the way business is conducted – it has never been cheaper and easier to set up information technology.
The enterprises who shift their application and data to cloud also potentially expose themselves to security threats; it becomes a tough balancing act where on hand there are benefits of productivity gains and on the other hand concern over security and compliance.
Who sees what data?
When using cloud services, cloud consumers hand over a significant control over their data and infrastructure to an external provider. In a cloud environment, multiple client data and services exist on a single physical platform. Confidential data is a goldmine; the valuable data residing on cloud infrastructure is susceptible to being intercepted and it does make one feel uncomfortable. Loss of data in today’s business life cycle has far flung problematic impact on the business.
For most cloud consumers as well as cloud providers the biggest concern is compliance and security. One of the core concern areas is associated with unsanctioned usage of cloud services and applications by employees and resources. Many organizations are unaware of unsanctioned cloud usage, while others acknowledge the use of “shadow IT,” technology deployed without oversight by the core enterprise technology group as one of those inevitable side effects of today’s decentralized business structures and the need for deploying agile solutions quickly.
To explain with few examples, an employee may upload a certain file to a local cloud file storage service provider without checking the terms and conditions of that vendor who may have claimed ownership rights to any content. Or the data storage cloud provider may not encrypt the data either during its transmission or while it is stored on their cloud, thus increasing the risk potential. Employees may use a piece of code from a cloud-based open source site and incorporate it into their own program without fully checking the validity of the adopted code. Or employees may simply discuss technical problems on a cloud-based site for like-minded individuals which may be a great way to increase productivity but may result in loss of valuable intellectual property.
While most cloud providers and online companies consider risk management and compliance as a cumbersome and expensive burden, an integrated approach towards dealing with it can turn into a selling proposition.
Risk and compliance in cloud:
Since cloud technologies depend a lot on virtualization, a variety of mature virtualization security and compliance guides is of utmost importance. Risks can also be mitigated in a number of ways including deploying monitoring tools that scans cloud access, software downloads and storage. Some of these tools can identify individuals, IP addresses and abnormal trends and has the capability to rank risk by site and use against profiles for cloud vendors. Technical monitoring is not sufficient and needs to be combined with evaluation, education, evaluation, compliance audits, accountability, transparency, positive steps that chief security officers can look into while managing cloud adoption and risk.
Cloud providers currently face enormous challenges. They are expected to develop fast in a very innovative marketplace catering to demanding customers. Risk and compliance comes across as additional cost and efforts to the already existing challenges. However they need to understand and accept the reality that without proper risk assessment and compliance monitoring it will be difficult to introduce and retain high profile customers to consume their services.
Certain onus lies with the users too. Organizations that use cloud services needs to be aware of the type of cloud services that they use. They must look at the data that they are going to shift to the cloud. Keeping security and compliance in mind, an organization may decide that some highly confidential data will always remain on an internal network and will not be moved to the cloud. Or, if it is moved to a cloud infrastructure it will be a private cloud that will be hosted on the premises, where they can access to both the physical and logical infrastructure which can still offer the benefits of cloud from an operational cost and management perspective. However one must keep in mind that even in a private cloud scenario, shared hosts, data centres and networks can exist between internal business units of same organizations. Network segmentation should be created keeping in mind security and any anomalies that may occur in the virtual network boundaries.
The other important thing is to check the contracts with the cloud provider. If it is an internal cloud, should there be an internal SLAs and internal compliance checklists? If it is external, one has to clearly identify with the provider what type of data should reside on their cloud services, how they are going to protect it, what is the backup strategy and whether the client has the right to audit the security and compliance framework that they build around the data stored by the organization.
It is important to remember end of the day it is your data and you are responsible for it as an user and that you must have control over the data at any given stage. From an operational perspective, an organization would be well-advised to put in place safeguards and benchmarks in order to check the effectiveness of the security around their data on the cloud. There should also be an incident response plan altering the moment something goes wrong with the data stored on cloud.
Conclusion:
As more and more organizations start leveraging cloud for applications and data storage the need to ensure adequate security is extremely important. Cloud developers and service providers must follow standards and compliance controls. Organizations using public cloud or building their own private clouds must be assured that key controls of data protection and data segmentation are in place.
Raghuram is a former Happiest Mind and this content was created and published during his tenure.
