Last week, we took part in techUK’s 'How to Build Trust in the Security of Cloud Computing' panel debate in London. The event ran in two parts, the first panel looked at the key concerns associated with cloud security and then a second panel examined what needs to be done to help businesses address these concerns.
The UK is incredibly successful both on the supply side with the expertise we have developed delivering products and services, as well as the adoption and exploitation side of cloud. That said, it was evident in techUK’s Cloud 20/20 vision paper that there are still concerns around security and the resilience of cloud, especially as the market continues to mature. The paper cited that nine out of 10 security professionals worry about cloud security and 80 per cent of budgets will be spent on cloud security, yet one third of data loss is put down to inadequate cloud security. So in effect, companies are still losing data.
To me, one of the clearest issues that came out of the conversation is that the broad scope of ‘the cloud’ continues to be a great source of confusion. Companies cannot adequately combat security threats if they do not dig into the details of the specific types of services they plan to use cloud for, whether that be Software as a Service, Infrastructure as a Service, Disaster Recovery as a Service, Backup as a Service, as examples.
Top five concerns raised by the panel about cloud in general:
1. Cloud computing is about commodity compute and a one size fits all approach. However, whether you are a large or small corporation seeking the benefits of cloud, you want to partner with providers that offer a tailored service that addresses your specific security and compliance requirements.
2. Location matters. Organisations are less concerned about multi-tenancy but more concerned about where the data centre is located, where their data resides, who has access to it and the free flow of that data.
3. Unauthorised access, especially by service provider themselves. Cybercrime will target cloud and data centres and there is concern not only about unauthorised access but law enforcement access to cloud data. For example, under what circumstances will your cloud provider disclose data to a law enforcement company?
4. Transparency, audits, the sheer volume of data. Keeping an auditable track of that data was high on the list.
5. Lock-in, data portability, and the smooth and easy movement of data. In other words, how easy it is to exit those outsourcing arrangements.
Other points that came up were the unclear segregation of duties and where the responsibility lies. Whose duty and responsibility is it to secure the platform? Are the skills, experience, and resources available to undertake these tasks? And finally, if you don’t lock down your data, are you raising the risk profile for the organisation and creating opportunities for more vulnerabilities?
My top five key takeaways:
1. Where cloud service providers are concerned, having a technology platform is not enough. It is more about how that platform is managed, the resilience of the platform, the level of cloud security combined with your people, expertise, and providing customers with full transparency.
2. New technologies will be added into the mix all the time. Organisations therefore need to think about their workloads and whether cloud is suitable. Will they be able to adapt to new security requirements and what level of support will they need to do so?
3. Organisations must consider accessibility versus security and understand the details of various cloud platforms and services to mitigate risks. Don’t overlook location, technology, support, access and transparency.
4. Education from your cloud service provider around the risks that are prevalent is absolutely vital. Cloud providers need to give visibility and up-to-date information on these risks.
5. It happens more frequently than you think, therefore thinking about how you will recover from an attack is vital. For example, do you have the ability to recover quickly and can you recover to a point in time that minimises business impact?
I believe that more education is key to cloud. What type of cloud services are you using or thinking about using, and what are the associated security risks and solutions? Cloud providers need to talk in more specific terms about the solution rather than talk generally about ‘the cloud', as this is where there is a lot of misunderstanding and misinterpretations.
And finally, as cloud providers help combat security risks, they must also enable customers to easily consume relevant information about their environments, take action and satisfy compliance. Most organisations find there is so much raw data coming out of their cloud provider, they struggle to consolidate this on a daily, or even weekly basis, in order to prioritise the real and most severe risks.
Whether customers are leveraging public cloud, private cloud, disaster recovery, or backup services, ensuring and proving cloud security and compliance will only become more important and customers and cloud service providers must work together to achieve it.
Sam Woodcock, Principal Solutions Architect, iland
Image Credit: 2p2play / Shutterstock