Cloud Security

Here comes the cloud…and it’s all right

While the cloud is inevitably the future home for data storage that doesn't mean it's perfect and those who entrust a third-party storage company to safely and competently house their data have nothing to worry about. On the contrary, a chief information officer and CISO's migraine headaches and ulcers may really kick in once the contract is signed and the data migration started. But while some worry is natural, and required, for the most part placing a company's crown jewels with cloud-securityc company is becoming the norm.

“Our recent survey ‘Building Trust in a Cloudy Sky' revealed that 93 percent of those surveyed are operating some type of cloud services in their organization. The majority (57 percent) are running a hybrid public/private architecture, up dramatically from last year's 19 percent,” says Raj Samani, chief scientist at McAfee.

Jody Brazil, co-founder and chief product strategist at FireMon, noted that his company's data shows a similar trend with 90 percent of firms it recently surveyed being in some stage of cloud adoption. However, he pointed out that despite a high participation rate, many organizations are still holding back.

“While these numbers are very high, the overall percentage of workload moved to the cloud remain low with most organizations having only moved a small portion of their workload to the cloud.  Nearly all companies are investigating cloud and I expect this trend should and will continue,” Brazil says.

That is not to say that all those moving to the cloud are choosing a third-party vendor like Amazon Web Services or Google. Many are choosing private clouds or some mixture to provide the service that they need.

“I would say that almost 100% of corporations leverage the cloud in some ways. Some moved their content to the cloud, some use cloud based services. Some use private clouds, some public clouds and many haven't moved their core IP to the cloud, but almost all corporations use some cloud services in some way,” says Andreas Baumhof, Threatmetrix's CTO.

The reasons behind this mass migration and plentiful and diverse. For some it's simply easier to let company experienced in data management take over freeing up internal resources for other tasks.

Security is the other driving force, both behind the movement toward the cloud and the reason why some companies refuse to do so. It all depends upon which line of thought one follows. Either a company dedicated to storing and securing data in the cloud will have a better handle on cybersecurity, or such a firm will not understand the value of the data being entrusted to it and will therefor do a haphazard job keeping it safe.

Part of this dichotomy is brought on by the cloud storage industry itself, which can be uneven when it comes to providing security. News feeds are filled with cases of third-party vendors making an error that either releases or exposes another company's data.

“Cloud and security; the views are mixed.  Although many of larger cloud providers (SaaS in particular) are considered very secure (i.e. Microsoft, Box.com, Google, Apple) just to name few, many, many other SaaS providers have not put basic controls in place in order to meet today's cybersecurity challenges, those basic controls are, for example: federated identity, data protection, access control, internal cybersecurity program, etc.  The list goes on,” says Henry Jiang, CISO and managing director at Oppenheimer & Co.

Many companies are either willing to ignore or look past the potential cybersecurity risks when they consider moving to the cloud. The freedom gained by no longer having to manage, and secure, data can be extraordinary.

“The motivation to move to the cloud is not typically security.  Common motivations include speed of delivery, elastic scalability, and cost.  There are security concerns and security benefits with cloud computing.  Perhaps the greatest risk is not the technology, but ignorance of how to secure these new environments,” Brazil said.

Other benefits of moving to the cloud include being able to access the brainpower hired by the cloud company, personnel that a smaller firm might simply not be able to afford. And this expertise is not just in the security space.

“Strictly from a resources standpoint, when you move to public or virtual private cloud infrastructure you are essentially tapping into the talents of the many smart people at AWS, IBM, Microsoft or Google who are charged every day with making their infrastructure as secure as can be – not to mention the high-security, physical protection and electronic surveillance of infrastructure hosting facilities. For most organizations this is a significant increase in manpower over the security resources internally they have at their disposal,” Jim Crook, senior product marketing manager for CTERA, an enterprise file services provider, notes.

Whether moving to the cloud is a good or bad move is in the eye of the beholder, or in this case the owner of the data. Baumhof notes that moving the cloud cannot be measured as either a right or wrong move, but instead it depends on the use case and the company's situation.

“The major opportunity for larger enterprises is to be able to leverage innovative SaaS solutions to meet a range of IT needs, including meeting security requirements. By its very nature, cloud-based software can provide unmatched scale and ease of implementation for large, complex organizations,” he says.

While Brazil noted earlier that security is not the only reason to move to the cloud, it certainly offers up a great reason to do so as, “the benefits include native, embedded security including authentication, access control, data encryption in transit and at rest, DoS protection, data resiliency, infrastructure resiliency, and more.  In many cases, these capabilities exceed those of a customer's traditional data center.” 

The long list of positive reasons for shifting to the cloud are counterbalanced, to some extent, by the negatives which is why not every company has moved. When it comes to why a company has not moved to the cloud the top three reasons cited are fear, transparency and security. Not necessarily in that order.

“Firstly you lose control. You put your most valuable content into someone else's hands and you then make yourself vulnerable to a whole range of “new” attacks. Your existing controls for cybersecurity most likely won't be as effective or completely irrelevant in this new world,” says Baumhof.

CTERA's Crook pointed out one fact that truly puts fear in the C-Suite when it considers offloading its data into the cloud. Cyberattack. Because cloud services hold countless terabytes of data they have become the leading targets for cybercriminals.

“Large cloud services are under constant attack from hackers cloud services (breaches uncovered at Dropbox and Yahoo in the past year highlight this fact). But this risk is largely eliminated by organizations that avoid public SaaS solutions, or, deploy their own services and store their data in virtual private clouds within public infrastructure, where they alone generate and manage encryption keys. 

Samani backed up this line of though, but noted that a company that does its homework before taking the leap into the cloud does have less to worry about.

“Do your due diligence, after all you can outsource the work and NOT the risk,” he says.

The first step in picking out a safe and dependable cloud-based data management firm is to check with the Cloud Security Alliance's STAR registry to get an understanding of the security maturity of third-party providers.

Next Baumhof suggests investigating the cloud firm's upper management team specifically looking for executives and an operations team with a strong security background.

Crook suggests not keeping all the company's eggs in one basket, but spreading the data among several cloud firms.

“Investigate multi-cloud strategies. When organizations run applications on multiple cloud services rather than relying on a single vendor, they reduce the risk of a vendor's service outage causing them significant issues and downtime. This is a critical component of a cloud strategy that enables organizations to preserve cloud optionality while strengthening their business continuity models,” he says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.