Enterprises across the board are turning to the cloud to leverage the benefits. Reduced costs, speed, agility, pay-as-you-use, and on-demand, are all compelling reasons to jump on the cloud bandwagon.
However, cloud security is still a major concern for organisations, particularly in an increasingly digital world, where the number of users and applications grow exponentially, and the flood of data reaches unprecedented levels.
So says Jonathan Cooke, commercial sales director of DRS, a Cognosec AB company, adding that although any decent cloud provider will have solid security measures in place, the company is still ultimately responsible for its information that is stored in the cloud.
“It’s all a matter of control. Security concerns are magnified in the cloud, because the moving of any private data off premise requires the shifting of control from the business to the cloud provider. There’s also the question of data residency, and cloud providers store data globally across different data centre locations. Each country has its own laws regarding data protection, so a business needs to be aware of any legal or regulatory requirements imposed on data based on the country or region in which it resides.”
Cooke says the first step to securing the cloud is creating, defining and implementing solid, effective and fast security response procedures. “Businesses need to define a set of guidelines and procedures to follow in the event of a breach or incident. This must be adhered to by all parties, and the procedures need to cover methods for identifying, isolating and mitigating security incidents.”
In the unfortunate event a security incident does occur, it is vital to analyse the impact it had on both the organisation and its infrastructure, he adds. “A company simply cannot assume that its cloud provider has adequate measures in place. It must make sure, and ensure it has the appropriate security measures in place.”
Cooke says best-in-class vulnerability and incident response tools are essential. “These tools should enable automatic security assessments, which can look for system vulnerabilities automatically, instead of scheduled on a weekly or monthly basis. This will ensure that any problems are picked up immediately, instead of when it is already too late.”
Next, he says, encryption of data – both in transition and at rest – is a must. “The encryption of any confidential or proprietary data should be enabled in transition, and at rest. This is one way a business can ensure it doesn’t fall foul of any regulatory requirements and other obligations regarding the storage and handling of confidential information.”
Cooke also advises businesses to have a defined and enforced data deletion policy in place. This ensures that once a data retention period as specified by the customer has ended, the client’s data is automatically deleted.
Remember that breaches aren’t always a result of external threat actors, Cooke points out. “Too often, a careless insider exposes sensitive information by mistake. Businesses must regularly assess the security of their cloud environments, and also the environments of their third-party partners, such as vendors and suppliers. Regardless of who is responsible for the security of data in the cloud workloads, the buck stops with the business,” he concludes.