Out with the old, in with the cloud

Moving to the cloud is inevitable, but it demands new ways of thinking about data security, and new approaches to secure this new border says Martin Borrett.

Out with the old, in with the cloud
Out with the old, in with the cloud

If cloud is the answer then why are so many Chief Information Security Officers (CISOs) making the move with great hesitation? The answer is a lack of facts.

According to a new IBM study of CISOs, more than 85 percent say their organisations are now moving to cloud. Despite this percentage however, nearly half expect a major cloud provider to experience a breach in the near future. This paradigm is just simply wrong.

The truth is that when a company embraces hybrid cloud (enterprise, public and private clouds, and mobile devices), the chance to evolve its business – including its security posture – grows in leaps and bounds. That is, as long as it is tuned into the fact that the way it does business is changing.

But traditional strategies for guarding this new perimeter no longer work because there really is no perimeter left to defend. If the enterprise was once a castle that protected its gold by making its walls taller and its moats wider, the fortress has now grown to the point that it spans continents, leaving holes through which attackers can sneak in and wreak havoc. In other words, the cloud computing model has stretched a company's defences, creating new areas of vulnerability that traditional “defence-in-depth” strategies are incapable of protecting.

As many reluctantly move to the cloud, they are keeping their “wall and moat” mentality because, simply put, they don't have the security tools, strategies or expertise to deal with this new hybrid IT environment. However, businesses must take a stand — out with the old and in with the cloud. Rather than fight the cloud, businesses must make it the design point for security – an enabler for growth that speeds the deployment of innovations like mobile computing, analytics and software-as-a-service (SaaS).

To making this all possible CISOs and their teams must put their focus on four key areas:

Who is accessing what and where?

A recent Cloud Industry Forum study found that while the momentum in cloud adoption is continuing, data security is still the number one concern for IT decision makers. Employees demand immediate access to cloud resources but this “need for speed” cannot put assets at risk. CISOs and their teams need to look at their traditional access management protocols and embrace a more cloud-focused approach.

By bringing these tools into the cloud, teams can better control who gains access to what (the enterprise, private cloud, or perhaps its Safesforce.com account), whether they are in the office or on the road, halfway across the globe. This cloud approach is a win-win because security teams can monitor and track access in all of these areas without inconveniencing the user.

Lock it down before it's too late

The Ponemon Institute reports that 66 percent of organisations said their use of cloud resources diminishes their ability to protect confidential or sensitive information. That may be true if an organisation is using an old-fashioned approach to security. Businesses must also be able to discover, classify, and assess sensitive data, whether it's on a person's smartphone or stored in cloud-hosted repository, and then monitor activity and ensure it remains secure.

This same level of protection must also extend to cloud-based applications. Today, most applications are built by developers lacking the skills and the know-how to spot vulnerabilities in their code. As a result, apps get pushed out that can easily be exploited by hackers. Businesses must be able to analyse apps, identify security weaknesses and address them before they are put into production or posted in the company's app store.

Sharpen your focus

Currently, an estimated 75 percent of security breaches are not discovered until days, weeks, or even months have passed. This severe lag illustrates a major issue — if businesses lack real-time visibility into their IT environment now, what will happen when they move to a hybrid cloud where things will get even more complex? Using sophisticated analytics however, businesses can cut through this fog, securing a clear view into their enterprise, their cloud as well as other public cloud services. With a clear picture, they can then glean insight into what they are doing and where breaches and compliance violations are occurring.

You don't have to do it alone

According to the Ponemon Institute, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to organisations' networks and/or enterprise systems. Now with cloud adoption on the rise, this footprint is growing at light speed, outpacing the evolving skills of team's security teams.  As a result, there is widening skills gap in the security marketplace that must be addressed. Businesses must embrace the idea that they cannot embark on this journey on their own. Rather than taking chances, leverage the expertise of others who are armed with new approaches capable of monitoring this new frontier, improving threat response times and securing this new border.

Very soon, all businesses will be flying in the cloud. The question now is: will you be flying blind?

Contributed by Martin Borrett, director of the IBM Institute for Advanced Security Europe