Putting a padlock on the cloud
Ask anyone in IT what the biggest barrier to adopting cloud computing services is and the most likely answer is security.
As Shirief Nosseir, EMEA security product marketing director at CA Technologies, explains, securing the cloud isn't rocket science; cloud is just another environment in which security should be seen as an enabler rather than a barrier.
Many organisations perceive the adoption of any form of cloud computing to change a company's risk profile, but unless a company is willing to increase its appetite for risk, its profile should not change regardless of whether it adopts a public or private cloud.
However, at this stage of market maturity, where cloud sourcing decisions are decentralised and proper policies and procedures are not adequately enforced yet, it is currently quite common for lines of business to bypass the IT organisation altogether and go out and acquire cloud services (particularly Software-as-a-Service), without thoroughly vetting them for security risks.
Before moving any part of the business to the cloud, organisations need to consider the different cloud deployment options available, including service models (Software-as-a-Service, Platform-as-a-Service and Infrastructure-as-a-Service), internal versus external hosting and public versus private deployments. They also need to understand their on-premise services that they already have and identify the candidates suitable for moving to the cloud.
Also, if considering external cloud services, evaluate the different providers and service level guarantees that they offer (similar to traditional outsourcing). Then as in any security area, by taking a risk-based approach that is contrasted with costs and business value, organisations can leverage a framework to help them make better informed decisions and keep control of their risk profile to stay in line with their risk appetite.
Today, there is no doubt that the cloud is here to stay. It is already widely adopted by many organisations and adoption will continue to rapidly grow. Given the reduced cost, increased flexibility and opportunities it brings, cloud computing is compelling for many organisations.
It is important for IT departments to be proactive and be quick to embrace the cloud model, as this is an opportunity for security to be seen as an enabler rather than a brake on the system.
The cloud offers an irresistible business case and executives will often not stop from consuming cloud services that they need, just because these services were not vetted enough for security - a statement that should raise few eyebrows from risk, security and compliance professionals.
However, this is a trend that many of us already see happening in organisations. For instance, in a CA Technologies sponsored cloud security survey some of the key findings show that 49 per cent of respondents said their organisation uses cloud computing applications without thoroughly vetting them for security risks, while 68 per cent of respondents said that their security leaders are not the most responsible for securing the cloud computing resources in their organisations.
It is also worth mentioning that business supporters of cloud computing often highlight the business's ability to buy IT services themselves, bypassing their IT organisation altogether. IT organisations that will resist the move to the cloud will ultimately be made irrelevant.
As the cloud is just another computing model that needs to co-exist with other (traditional) platforms, organisations should not be creating new separate policies to secure the cloud. They need to look at their entire environment, including the cloud, and develop a coherent set of policies that cut through their entire infrastructure. Start with what they have and work to adjust them to accommodate the cloud model.
At the same time, it is clear that traditional security models are now going through an evolution in an attempt to keep up with the new order of things. Take the data sprawl issue as an example: one of the common cloud security challenges that organisations face is identifying what data is appropriate to process and move into the cloud.
Nowadays, as data has transformed into bits and bytes, copying sensitive data or sending it across the globe is just a mouse click away. As we all know, this brought about new levels of efficiency and fuelled the democratisation of information.
On the flip side, we ended up with data sprawl. In most cases now, we have little control over how information is being used and shared and by whom it is being consumed. With the enormous amounts of information we process and share on a daily basis, we are not able to keep track of where all copies of our sensitive information are located. Needless to say, data sprawl has introduced all sorts of security problems, since we simply cannot secure what we cannot locate and control.
With cloud computing, data sprawl becomes even more of an issue. By nature, a cloud is highly dynamic, often extends beyond the typical boundaries of our organisation and typically is shared with other tenants. Clearly, traditional perimeter security cannot offer enough control over data and its movement to and in the cloud.
Although typical data loss prevention (DLP) technologies do a good job at locating, classifying and controlling information, they are simply not enough for what is truly needed. An identity-centric approach to information protection and control becomes paramount in cloud environments.
Content awareness (provided by DLP solutions) allows us to understand what information is held in our files and documents, whereas an identity-centric approach adds more intelligence to data sprawl and brings in the context of who is trying to use the data and how they should be allowed to use it (e.g. email, copy, print, etc).
Consequently, DLP technologies need to become more identity centric and integrated with identity and access management (IAM) technologies. Conversely, IAM needs to become more content aware to provide the right level of control that fosters information sharing, while mitigating unnecessary risks.
In turn, a content-aware identity and access management approach is paramount to be able to effectively ensure that only appropriate data is moved into the cloud.