by Teresa Meek, Workday Contributor, Forbes, August 3, 2016
As businesses continue their flight to the cloud, their concerns about security are changing. The cloud can offer companies better security than their own data centers — but only if they understand how to manage the responsibilities that come with it.
What Smaller Businesses Can’t Do
For years, security concerns kept companies from migrating their data to the cloud, said Seth Robinson, director of technology analysis at CompTIA, the IT association. But that’s changing as businesses learn that cloud application security isn’t inferior to on-site firewalls — it’s just different.
When it comes to the physical environment, for small and mid-sized businesses, the cloud often provides better security than an on-premise data center, said Paul Hill, a senior security consultant with SystemExperts, an IT compliance and security firm.
Cloud-provider data centers have elaborate physical security systems that few small businesses can match. Security guards monitor everyone who enters, checking IDs and allowing only one person through the door at a time. They monitor the data center with closed-circuit TV and have backup generators, uninterrupted power supplies, and redundant heating and air conditioning.
“A very large company like JPMorgan Chase can afford to build data centers that meet these requirements on their own. But for a small to mid-sized business, implementing these controls would be extremely expensive,” Hill said. Even large companies often turn to cloud providers to avoid the headaches of managing an elaborately secured data center.
Risk Management In The Cloud
As company data moves out of the office and onto myriad devices, companies need to think about secure access in new ways. Everything and everyone — employees, servers, APIs, applications and data — must be given an identity and access level, which must be carefully managed.
Security concerns extend beyond the walls of the data center to the data itself — and that’s where companies sometimes get confused, both Robinson and Hill said. The company remains responsible for the data and how it’s used. The vendor is responsible for managing the security around that data and the overall application.
Though providers aren’t required to perform security audits, many do them to satisfy their customers and ensure transparency. Companies can also do penetration testing and vulnerability scanning of the cloud provider, or have a third party do it for them.
Also — critical in an age of sophisticated hackers — companies should monitor logging activity for their web applications. Cloud providers often offer this as a function of their applications, but not all customers realize its importance, or even that it’s available. It is important to understand what type of monitoring is available and ensure that it is running. “I’ve gone to companies who were paying for it but were never told to turn it on,” Hill said.
Companies should also ask their cloud provider about data loss prevention, Robinson said. This important feature classifies and tags data so that it can be monitored for suspicious activity as it moves across the enterprise and externally to third parties.
Different types of information require different levels of scrutiny. Information about a company and its services doesn’t require the same protection that customer identity or financial data does. The cloud application should be able to easily adjust to the level of protection customers require.
“You can scan emails for character strings that look like Social Security numbers or credit card numbers, and flag it if it’s about to leave,” Robinson said. If a transmission looks inappropriate, it can be identified and addressed before the data is compromised.
Making Your Apps Modular
An additional layer of cloud security is provided by application developers who are building their products with stronger architecture elements than they did in the past, Robinson said.
“If you have a single monolithic application, any attack on that piece of code can take the whole thing down. Modern technology makes the app more modular, sectioning off different pieces and treating each one with security so that if one piece goes down, the whole system doesn’t have to go down.”
The Cloud’s Better, But Preparation Is Critical
Even with today’s sophisticated technology, data breaches remain the No. 1 threat to cloud security, according to the Cloud Security Alliance. They’re often the result of poor authentication standards or weak passwords, which in many cases are the responsibility of the company, rather than the cloud provider.
Companies using the cloud should have a cloud security policy and train employees in best practices to avoid phishing and other attacks. It may seem like an obvious move, but too many businesses are missing the boat — and putting their data at risk. According to a Cloud Security Alliance report, 25.5 percent of respondents said they didn’t have a cloud security policy. Another 6.4 percent didn’t know whether they had one or not.
Cloud applications can offer security equal to or better than an on-site data center. But to achieve it, companies must take responsibility for their own data. That means working closely with the cloud vendor to ensure that adequate protections are in place for company data and any applications that can interact with it.