Businesses worldwide are increasingly enjoying the use of cloud services and reaping the rewards that the cloud offers in terms of reduced costs, increased scalability, agility and flexibility.
The continued evolution of this technology means that some of the concerns which businesses initially had about moving to the cloud – notably issues around control, connectivity and complexity - are being addressed, driving increased take up of these services. However, there is one area that remains a key concern in the minds of IT and business management, which is cloud security.
It’s true that the IT industry continues to create more and more sophisticated security solutions. At the same time, the threats are also constantly evolving, continuously challenging the protective walls around our data with new techniques and tools. However, we need to realise that these security concerns have always existed, irrespective of the storage solutions chosen or the location of the computers which are used. And there is no solution which is 100 per cent secure, nor sadly, will there be in the future. IT problems will continue to arise, with security breaches creating challenges for organisations, however the damage they cause can be mitigated against and minimised.
With this in mind, any responsible cloud provider will have a dedicated security team that can ensure that the IT barricades are in good shape and set up to thwart attempted attacks, leading to minimal impact to the environment and / or data and a swift return to standard operating conditions.
A key component of the process, of course, is monitoring the data flows, the physical infrastructure, networks and applications. With a trusted provider, the security team and their automated tools are on a constant lookout for any irregularities or deviations that may indicate a security threat. Newer tools can of course identify threats from patterns in usage, allowing detection of as-yet unrecognised hacker tools or hacking activity. At the same time, pro-active interrogation of usage by the security team complements these tools and identifies false-positives.
We can confidently say though, that security today isn’t just ‘about’ the tools and technology in use, but has a lot more to do with governance. In fact, in some instances, CIOs have started to see cloud computing as a more secure environment than hosting on local machines. Physical, on-premises environments can sometimes provide a lot more opportunities for a security breach on account of the accessibility of this hardware.
Cloud services from a trusted partner can support improved levels of security not only for your infrastructure but can be operational down at the level of each machine. And increased measures can be negotiated to make this environment even more secure – without wildly escalating costs – when working with a provider who can structure the right agreements and processes (including access management) wrapped around their operations.
With these measures in place, security largely depends on the policy hygiene required and maintained by the client. On the provider’s side, it depends on the accountability and ownership specified in the terms of the contract. And those contracts bear significant scrutiny. Understanding the differences between various cloud offerings and choosing services that can offer high resilience, thus curtailing the levels of risk to exposure and threats, is a business imperative.
Clients need to partner with vendors closely in order to understand how this shared responsibility will evolve and need to achieve clarity over roles and responsibilities in order to address the security gaps that lead to threats and breaches.
As an example, clients occasionally make a request to ignore patch updates because they are wary of any potential impact this may have on the stability of existing applications or because they want to avoid downtime. Such requests need to be carefully handled and clients need to partner with the vendor to work towards best practices.
In the service agreement, ownership and accountability – and response times – need to be meticulously clarified, as ownership for certain decisions and actions will continue to reside with the client in the aftermath of a cloud deployment. Often under client control are elements such as: The authorisation of requests, preventing and safeguarding against malicious or accidentally damaging activities by employees, assessing security provisions, and the management of some application interfaces. Identifying and mitigating any threat vectors that are associated with these activities and others play a vital role in enhancing the security of any cloud solution.
In short, security in the real world is achieved through a partnership between the client and vendor and remains a joint commitment. And let’s admit it: security is a voyage, not a destination.
Vivek Vahie, Senior Director at NaviSite
Photo credit: faithie / Shutterstock