How Safe Is the Cloud?By Steve Tillery | Posted 2010-10-15 Email Print
As companies shift their IT systems to the cloud, misunderstandings abound about security levels as compared to those within the enterprise.
A customer recently commented that the security risks associated with cloud computing were beginning to outweigh the benefits of delivering software as a service over the Internet. The customer believed that having critical system and personal data in the cloud was significantly less secure than having it on premises and within the enterprise.
Therein lies the challenge for the future of cloud computing: trust. As companies shift their IT systems to the cloud, impressions are being formed regarding its security levels and how it compares to that within the enterprise. Much of the conjecture is false and misleading.
Is cloud computing right for every organization? Absolutely not. Deploying IT systems and applications in the cloud or on premises is a decision every enterprise must make based on several considerations, including the company’s culture for outsourcing, internal cost versus expected ROI, regulatory requirements and IT needs.
Reaching the right decision is dependent on understanding the facts, rather than relying on assumptions and hearsay. Here are the facts:
Building a trusted environment: In the world of data security, the location in which the information resides is less important than the strategy deployed to protect it. Consequently, the greatest IT security threat stems not from the cloud, but from having inadequate IT security policies and a lack of education about employees’ role in defending a company’s data. An organization that lacks these essentials increases its vulnerability regardless of the delivery model it deploys to run IT systems and applications.
For instance, most service-level agreements focus on performance metrics and support commitments. Many fail, however, to clearly articulate corporatewide IT security policies and procedures and to delineate how they are enforced throughout the organization.
Furthermore, many companies fail to grasp the fact that even if data resides remotely in a cloud computing environment, their employees—yes, employees—are still the most likely parties to compromise the integrity of that information. In fact, many data breaches are the result of employees with access to sensitive information who unwittingly act as accomplices or enablers for an external threat.
Creating access control policies: To address insider threats and ensure effective use of security policies and procedures, companies must deploy a layered approach that combines stringent yet flexible access control to sensitive data with ongoing employee education about the security rules and processes the organization is required to follow.
Toward that end, an effective security policy (and related procedures) will establish a protocol on how all employees—from interns and contractors to senior-level executives—can access, store and share all types of data and information across the organization and with outside parties. These “rules” should provide an intuitive, auditable and enforceable framework for managing employee access to data and resources.
The system should also be set up to automatically deny access—without exception—to current and former employees who do not have a permissible reason to gain entry to certain data. Such a system must include the ability to efficiently terminate access to former employees or consultants who are no longer working for the business.
Educating your employees: Developing a robust set of security policies and procedures is only half the battle. Companies will remain vulnerable if employees don’t understand the rules or fully grasp how their decisions and behavior—such as the Websites they visit and the software they download on work computers—play a critical role in weak-ening a company’s defenses from data breaches.
This is especially true in highly regulated industries, such as health care and financial services, where companies must comply with stringent regulations or run the risk of incurring significant business disruption, damage to their reputation and/or having to pay financial reparations to customers and clients.
Once managers realize the relevance and origin of prominent IT security threats, they can begin to understand that most are independent of the delivery model. Organizations that build a strong security framework backed by continuous education will discover that the cloud is not as dark and threatening as many fear.
Steve Tillery is chief technology officer and senior vice president of engineering for Fischer International, where he guides the technological and architectural direction of the company.