Dave Nicholson, technical sales consultant, Axial Systems
Dave Nicholson, technical sales consultant, Axial Systems

Driven by a range of benefits from cost reduction to enhanced scalability and from tighter budgetary control to ubiquitous access to applications, the migration of businesses to the cloud is continuing to accelerate. Highlighting the strength of this growth, analyst IDC recently forecast in a recent Worldwide Quarterly Cloud IT Infrastructure Tracker that IT spending on cloud infrastructure -- servers, enterprise storage, and Ethernet switches for the enterprise private cloud and colocation services -- will increase by 15.5 percent in 2016 to reach US$ 37 billion (£29 billion) In comparison, according to the analyst, spending on enterprise IT infrastructure deployed in traditional, non-cloud, environments is set to decline by 4.4 percent in 2016.

Any business making the transition to cloud will, of course, be focused on achieving optimum levels of data security. The choice of a third party cloud services provider is therefore crucial – and there is a range of issues to consider. For example, do the terms and conditions of their prospective provider meet their needs; and what about data sovereignty, security and even compensation if something goes wrong? 

Just the simple fact of moving data to the cloud brings security concerns – and having a rigorous approach to encryption in place is critical in this context. Businesses must ensure for example that any data transitioned to the care of that provider is encrypted the moment it lands rather than post-landing.  Best practice is for the business to encrypt data itself as it leaves its building. This ensures there are two layers of encryption – so that if one is compromised, one remains encrypted.

While the choice of provider is a vital upfront concern, businesses also need to decide from the word go what data they want to move to the cloud and what to retain in-house. That's why we are seeing the hybrid cloud model becoming de facto especially for larger businesses, who see benefits in keeping more sensitive customer data on-premise.

Ultimately, the business itself needs to accept a high level of responsibility for the security of its cloud-based data and this is especially key with regards to data access. One of the big issues for any business running hybrid cloud is: do they have a security policy that works seamlessly across both on-premise and cloud services?: If somebody wants to access the business's on-premise data they go through a gateway: generally a VPN, or front-end web server. However, if a member of staff tries to access data in the cloud, the business is unlikely to have any control over, or visibility of, that process. That's because there is typically a standard way of accessing cloud services that is not necessarily in line with the organisation's standard security policies.   

Many cloud services will come with user name/password authentication out-of-the-box and that is likely to bring with it some risk. The challenge for the business is to manage and mitigate those cloud service access risks in the same way as it would its on-premise service risks. After all, cloud data belongs to the business not the cloud service provider, and the business is ultimately responsible for protecting it. And in the age of BYOD where many devices used in the corporate environment are unmanaged, that's often an important challenge.

So what's the solution? Education is crucial, of course. Businesses need to highlight the message that employees should take a responsible approach to data protection. They must be aware of the potential security threats and do all they can to mitigate them - from keeping care of devices they use at work to ensuring passwords remain consistently strong.

But in this new security environment, businesses also need to find technology solutions that allow them to mitigate risk. A critical part of this is to step up the level of authentication that those devices need before they can access cloud data. Businesses can, for example, deploy an authentication portal or an access broker which means that if a user wants to access data in the cloud, they have to authenticate via the business's own domain. That critical touch point enables the organisation to establish control over data access. And they can further mitigate risk by making the authentication mechanism adaptive depending on who and where the user is; what they want to access and what devices they are utilising.

So in summary, before businesses migrate to the cloud, they first need to find a cloud service provider they can trust; define which applications and services they are going to transition and then implement a security policy. But critically too, across all of this process, they need to find some form of access broker and an adaptive authentication mechanism that delivers optimum level of control. At that point, they will have a fully secure approach to data access in place and be well placed to reap the many rewards that moving to cloud services can bring.

Contributed by Dave Nicholson, technical sales consultant, Axial Systems