While the security of cloud computing has always been a concern, many of the issues that once limited cloud computing deployments for businesses have fallen by the wayside. However, enterprises take a cautious and pragmatic approach to any security concern these days. Breaches have become headline news items, and billions of dollars are at stake in lost reputations and lost business.
So, what’s real and what’s fiction? It’s a matter of understanding how cloud security has progressed over the last few years. In accordance, be sure to understand how to align your security requirements. Let’s explore these concepts and level-sets on what’s the true state of cloud security, including what’s safe and what’s not.
According to a 2017 report by McAfee entitled “Building Trust in a Cloudy Sky,” just 23% of today’s organizations completely trust public clouds to keep their data secure. However, a year ago, it was much worse. Only 13% trusted public clouds. For those of you who don’t want to do the math, this is a 76% jump in trust.
While many factors continue to drive this change, it’s most clearly attributable to public cloud platforms investing more development effort and resources into new security features and support. This includes authentication, encryption, and identity management features. Most public cloud platform providers are hardening every aspect of their systems to ensure greater security and scalability. This investment seems to be working, with the total number of organizations who distrust clouds dropping from 50% to 29%, as revealed in the same report.
So, if you’ve decided to venture toward the public cloud, and security still appears to be an obstacle, there are a number of steps you can take to reduce the friction. These include:
Understand your own realistic security requirements. Note the word “realistic.” Enterprises that move to public, hybrid, and private cloud platforms have a tendency to over-state security requirements. Yes, things such as personally identifiable information (PII) need to be encrypted at rest and in flight, inside and outside of the cloud. Other data may not require the same degree of security.
This is important: Enterprise IT may think more is better, when it comes to security. Not necessarily so. Performance issues can arise with excess use of encryption services, as well as public cloud bills because you’re paying for more resources.
A large part of your requirements gatherings should deal with classification of data that will exist on the cloud. You need to take a fine-grained approach. This should also be considered in the context of compliance issues around management of that data, such as HIPAA (Health Insurance Portability and Accountability Act of 1996) or The Sarbanes–Oxley Act of 2002, to name just a few laws that must be taken into account. Beyond that, it’s a matter of building your own sets of policies around the data, and being able to automate the enforcement of those policies within the cloud security systems.
Mapping a path to sound cloud security. This step is actually easy, if you’ve done the previous step correctly. Bringing technology to bear means mapping your security requirements to the proper security technology within the cloud providers’ security tools offerings.
This means you pick the right encryption services that will live up to your compliance and policy requirements. Next, pick an identity and access management (IAM) system that integrates within your existing directory systems. And finally, have all of this live under a sound security management system that provides proactive monitoring and self-defense.
An example of a sound cloud security solution is from CenturyLink. CenturyLink provides a unified system of security services that covers the entire IT stack. With this approach, they can reduce security and instability risks that arise from managing and integrating disparate technologies, services and SLAs across multiple vendors. The solution is a true ecosystem of security services that ranges from DDoS attack mitigation, to monitoring and management of basic protective devices like firewalls, to handling the entire lifecycle of an attack. The CenturyLink security approach incorporates macro threat intelligence, advanced analytics and SIEM technologies along with proactive detection, containment and incident response services.
The state of cloud security is strong. Very strong, when you consider where we were just a few years ago, and the fact that breaches have been few and confidence is building, as seen by the report cited above. That said, we also have the ability to improve upon cloud security, and you can count on a massive flow of technology from cloud providers and third party vendors over the next three years. Navigating the mammoth amount of technologies and vendors may seem like a job unto itself sometimes. To help, partner with a managed security service provider (MSSP) who has the expertise and deployment knowledge to make sure your cybersecurity plans are lock-step with your business goals.
Security is something you plan for and manage day-to-day. In the end, a bit of planning, including understanding your requirements and vulnerabilities in detail, goes a long way.
Editor’s Note: To learn more about CenturyLink’s security capabilities, visit this page or contact your CenturyLink account representative.