The great number of practical benefits that the cloud can provide to the businesses that embrace it – ranging from increasing the potential for scalability to reducing operational costs and offering wider access to applications – is predictably leading to more businesses taking the leap to the cloud.
This trend shows no signs of slowing down, with tech analyst Gartner predicting that during the next five years, more than $1 trillion in IT spending will be affected by the growing migration towards the cloud, either directly or indirectly. But as with any big transition, there are several aspects that must be considered in order to ensure success.
For all businesses making this transition and trying to navigate through the cloud, the biggest priority will naturally be ensuring that ideal levels of data security can be achieved. With this in mind, the most important choice that businesses make will likely come down to which third-party cloud services provider is chosen handle the process.
There is a long list of issues that will play a factor in this choice. Businesses must consider, for example, if the terms and conditions that the services provider operates under is a good fit for what the business is seeking. Other key considerations include data sovereignty, security and what compensation will take place in the event of something going wrong.
Just the simple fact of moving data to the cloud brings with it security concerns – and having a rigorous approach to encryption in place is critical in this context. Businesses need to ensure for example that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing. Best practice is for the business to encrypt data itself as it leaves their building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted.
While the choice of provider will inevitably prove to be a key upfront concern, businesses also need to decide, straight from the outset, what data they want to move out of the local architecture and into the cloud and what they want to retain in-house. This is why we are seeing the hybrid cloud model becoming the de facto solution for businesses, especially larger businesses, who see the clear benefits in keeping more sensitive customer data stored in local resources.
Ultimately, the business itself needs to accept a high level of responsibility for the security of its cloud-based data and this is especially key with regards to data access. One of the big issues for any business running hybrid cloud is: do they have a security policy that works seamlessly across both on-premise and cloud services: If somebody wants to access the business’s on-premise data they go through a gateway: generally a VPN, or front-end web server. However, if an employee tries to access data in the cloud, the business is unlikely to have any control over, or visibility of, that process. That’s because there is typically a standard way of accessing cloud services that is not necessarily in line with the organisation’s standard security policies.
Many cloud services will come with user name/password authentication out-of-the-box and that is likely to bring with it an element of risk. The challenge for the business is to manage and mitigate those cloud service access risks in the same way as it would its on-premise service risks. After all, cloud data belongs to the business not the cloud service provider, and the business is ultimately responsible for protecting it. And in the age of BYOD where many devices used in the corporate environment are unmanaged, that’s often a significant challenge.
So what is the right solution to overcome these challenges? Education is key, of course. Businesses need to highlight the message that employees should always ensure they take a responsible approach to the business’ data protection. They must be aware of the potential security threats and do all they can in order to ensure they are properly mitigated - from keeping care of devices they use at work to ensuring passwords are consistently strong.
But in this new security environment, businesses also need to find the technological solutions that will allow them to mitigate risk. A key part of this is to step up the level of authentication that those devices require before they can access the data that is stored on the cloud. Businesses can, for example, deploy an authentication portal or an access broker which means that if a user wants to access data in the cloud, they have to authenticate via the business’s own domain.
This critical touch point enables the organisation to establish full control over who can gain access to its private data. And they can mitigate risk even further by making the authentication mechanism adaptive depending on who and where the user is; what data they want to access and what devices they are using to access it.
So in summary, before businesses move to the cloud, they first need to find a cloud service provider they can trust completely; define which services and applications they are going to move to the cloud, which services and applications they are going to store locally and then put an effective security policy in place. But critically also, across all of this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers the highest level of control that can possibly be achieved.
At that point, they will have a fully secure approach to data access in place and be ideally placed to reap the many rewards that moving to cloud services can bring.
Dave Nicholson, Technical Sales Consultant, Axial Systems
Image Credit: Melpomene / Shutterstock