How to navigate the cloud: 5 simple steps to creating an effective cloud security strategy

Security is one of the most commonly mentioned barriers preventing companies from taking advantage of cloud computing. Yet some experts say the cloud could and should be more secure than in-house IT. So how should organisations considering cloud services ensure they maintain security, and what are the key issues to protect data?

This HP white paper seeks to help companies navigate the cloud securely and confidently.

It is expected that the emergence of highly secure and trusted cloud services will mean that cloud security will shift from being an inhibitor to an enabler of cloud services adoption.

Analyst firm Forrester believes the advent of secure cloud services will be a "disruptive force" in the security solutions market, challenging traditional security providers to revamp their architectures, partner ecosystems, and service offerings, while creating an opportunity for emerging vendors, integrators and consultants to establish themselves.

Furthermore, Gartner expects the cloud-based security services market to reach $4.2 billion (£2.5bn) by 2016.

Eric Ahlm, a Gartner analyst, says: "Demand remains high from buyers looking to cloud-based security services to address a lack of staff or skills, reduce costs or comply with security regulations quickly. This shift in buying behaviour from more traditional on-premises equipment towards cloud-based delivery models offers good opportunities for technology and service providers with cloud delivery capabilities."

Taking a risk-based approach to cloud security

When looking to reduce the risks of moving data or applications over to the cloud, companies can not usually rely on a 'one size fits all' approach, as not all scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider, or extensive security controls might be deemed 'over the top' for relatively low value data being moved to cloud-based storage platforms.

With so many different cloud services to choose from, the security choices can be varied. Firms can choose cloud services such as software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS). Then, there are the types of cloud delivery mechanisms to consider: public cloud versus private cloud deployments, internal versus external hosting, and the various hybrid solutions on offer.

When it comes to cloud security, firms should take the approach they nearly always take when it comes to considering security in a broader sense - a risk-based position to selecting the right security options for their individual cloud service.

Identifying what to put in the cloud

To decide on the security needed for cloud roll outs, organisations must first identify the assets they are actually moving to the cloud, which can normally be found in one of two areas: data or applications/processes.

Firms should also take into account the fact that whole processes do not necessarily have to move into the cloud. For instance, companies can host an application and the data in their own data centre, while still migrating a chunk of its functionality into the cloud through a PaaS arrangement.

The next step is to evaluate the importance of the data or process to the organisation that is being moved. Essentially, when considering moving assets from the organisation to an outside cloud provider, firms should consider the same things they look at when considering an outsourcing contract.

Identifying data risks in the cloud

Organisations have to identify what the damage would be if data moved to the cloud wrongly became publically available. For instance, would unauthorised cloud provider staff accessing certain data or functions cause problems, and what would the effect of downtime to processes through unavailability of cloud data be?

In addition, firms may also need to map out a data flow relating to the cloud deployment service under consideration. Companies should consider the data flow between their organisation, the cloud service provider, and any customers, partners or other cloud connections. Such a data flow will show how data can move in and out of the cloud and help illustrate the security requirements.

As well as considering security hardware and software options, companies should also consider on-site inspections of cloud providers, data encryption schemes, audit and data retention policies, and reassurances sought from the cloud provider that their service can meet the industry compliance demands of the customer.

Take into account your other IT systems

Organisations should not get too confused about the various types of cloud services when it comes to security. Most data security attacks and breaches have nothing to do with the cloud. Most attacks come through servers, so if you can secure the servers, then you have gone a long way to securing your cloud deployment.

But cloud security isn't just about adequately updating your hardware and patching your software - firms must go through their entire processes. Organisations must assess their network for cloud suitability, consider how to handle unstructured data, and decide what data and applications they can reliably and securely put into the cloud.

They must also complete a user impact assessment, consider how legacy systems can be integrated with cloud applications and systems, plan a cloud migration strategy, and educate users about safe cloud use.

This can be hard in terms of the internal skills available at many firms, which is why a large number use cloud integrators and service companies.

Choosing a secure cloud provider

After going through these processes, organisations should be clearer about what they are moving into the cloud, their risk tolerance, and which type of cloud provision suits them. With this in front of them, they can then decide on the best security protocols and systems to put in place.

While cloud customers can do a lot to make sure their migration to the cloud is secure, the providers themselves can do much to reassure users, according to Gartner.

"If cloud services are commoditised, providers should offer stronger customer guarantees. However, service providers either do not offer protections or vary greatly in the protections they do offer," notes Gartner analyst Daryl Plummer.

In other words, when choosing a cloud provider organisations should have the right to:

  • Know what security processes the cloud provider follows
  • Retain ownership, use and control of their data. The provider must specify what it can do with the consumer's data. Lack of clarity could lead to costly legal battles
  • The right to service-level agreements that address liabilities. Most cloud service providers seldom commit to recovery times, specify the forms of remediation, or spell out the procedures they will follow
  • The right to notification and choice about service provider changes that affect the consumer's business processes. Providers must give advanced notification of major upgrades or system changes, and grant the consumer some control over when changes happen
  • The right for cloud consumers to understand the technical limitations or requirements of the service up front. Most providers do not fully explain their own systems, technical requirements and limitations
  • The right of users to understand the legal requirements of jurisdictions in which the provider operates. If the cloud provider stores or transports the consumer's data in or through a foreign country, the consumer becomes subject to laws and regulations they may not know anything about

To learn more about the cloud and how it can benefit your business, check out the wealth of in-depth analysis available in our HP Cloud section.