make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Cloud Security – Is the Time Right to Reconsider Cloud?

03/24/2016  |  By: Sese Bennett, CISSP, CISM, QSA, ITIL, HITRUST CSF, Senior Manager, Information Security

Share

Social Logo Social Logo Social Logo Social Logo

Asking the Tough Questions About Cloud Security

The continuing parade of headlines about data breaches at high-profile companies obscures an important truth: for companies seeking efficiency and security, now may be the best time ever to consider going to the cloud.

While the threat posed by data breaches is undeniable, the fact is that many of the big security breaches have occurred against “on-premises data” or data hosted inside of a company-owned data facility. Certainly, some breaches have also occurred at cloud service providers, but security techniques available in the cloud have grown considerably in sophistication over the last few years. In part, this is because cloud service providers can bring scale to their security programs and leverage their experience with multiple clients to learn quickly and implement improvements. In many instances, if implemented correctly, the resulting expertise available from a cloud provider can make them a less risky option than in-house resources.

That being said, there are a wide variety of security options available from Cloud Service Providers (CSPs). Unfortunately, some of the key security measures such as encryption, logging, and monitoring are often overlooked or not implemented for a number of reasons. In the drive to cut costs, which many businesses view as a reason for going to the cloud, it can be tempting to cut corners. But if companies take a well-thought-out approach to defining what is really needed to maintain security and engage with the appropriate cloud provider, they can actually in many cases improve their security and compliance.

The first step in your cloud journey is to evaluate whether the cloud is a good choice for your company, either by migrating 100% to the cloud, or by selecting elements of your organization for a phased implementation. The goal is to chart a path that will reduce risks in security, compliance and contracts with providers. This article will focus on the first thing you will need to make the best decisions – information. We will discuss how to get that information by asking targeted questions to evaluate what you really need out of a cloud solution and how it can benefit your organization.

Socrates liked to say, “know thyself.” That’s good advice in many situations and is a good starting point when considering migration to the cloud. Understanding your company’s overall operations and attitudes will help shape your cloud decision and your thinking about the level of security and service you need from a provider. Ask yourself these questions:

What benefits could my company gain from the cloud?

This question should be addressed at both the business and technical levels within the organization. Documented benefits of going to cloud can include:

  • On-demand flexibility
  • Available anytime, anywhere
  • Multi-tenancy can reduce cost
  • Scalable and elastic
  • Pay as you go – utility Model
  • Less expensive (reduced infrastructure cost)
  • Fewer specialized staff needed to maintain solution
  • Increased business focus vs. focus on the cloud
  • Disaster recovery and redundancy
  • Improved performance and reliability

When considering the benefits of adopting the cloud, compare the long-term benefits of cloud against your organization’s long-term strategic direction. Consider the types of data you currently have in the environment as well as data types you may acquire in the future as a result of organic growth and acquisitions. Consider the security controls you currently have and think about what you will need to secure data in the future.

How confident do I feel in my company’s ability to stay up-to-date on security measures?

Most security professionals would agree that one of the biggest challenges that they face is keeping up-to-date on security measures. Just when you think you have one aspect of security figured out, the game changes and before you know it, you have fallen behind in another area.

When you add in the struggle to acquire and maintain budget, technology, processes and procedures, personnel and technical expertise, options like cloud may begin to make sense. Weigh those areas of concern and then consider if a standardized approach to maintaining security makes sense as part of your long-term security strategy.

Can my CSP provide a level of security comparable to what I can provide internally?

Moving to the cloud should not be a compromise when it comes to security. If you, as a company, have made a strategic decision to provide a specific level of security for certain types of data such as intellectual property, internal employee data or financial data, then the CSP you select should at a minimum, be able to match those levels. In a best case scenario, the CSP should enhance your security over what you can provide internally.

How complex is my environment and how will implementing the cloud affect that complexity?

Layering on cloud technologies can either simplify an environment, or add additional complexity. So, it is important to weigh the benefits of implementing the cloud against the level of complexity it can introduce.

In the information security field, complexity does not always translate into more security. In fact, in most cases, the simpler you can design an environment, the better. Complex environments create challenges when it comes to maintaining, patching, upgrading, auditing and yes, securing the environment. If it is determined that layering on cloud will add complexity, arrangements must be made to support the complexity either by the CSP directly or through cooperative efforts of both external cloud and internal resources.

Will there be an impact on productivity if I separate the data owner (my company), from the data processor (the cloud provider)?

Often when organizations hear of the many benefits of moving to the cloud (see the first question in this section), they usually don’t hear much about the impact that migrating to the cloud can have on their productivity. It’s said that generally, most people don’t like change and the same is the case when it comes to information technology. On the surface, you would not think that accessing data from a location outside of your own four walls could have a significant impact, but even a simple change, such as modifying the steps in a workflow process, can impact how efficiently a task gets accomplished. So, when considering migration to the cloud, ask whether migrating will have a positive or negative impact on the departments or groups involved. If negative, look for ways to improve or adapt the process before it goes to the cloud so that your organization can reap the benefits of productivity improvements.

These are just a few of the questions that should be part of your initial conversations when considering if the time is right to move to the cloud. My mother always told me that everything was not always about me, and she was right. But in this case, successful adoption of cloud is about making sure the solution fits your specific needs – so yes, it’s all about you! Don’t be afraid to take the time to develop your own additional questions specific to your environment. This will help you to gain a better understanding of your environment and gather the data needed to make informed decisions.

Sese Bennett is a senior manager in the Security and Risk practice at LBMC, a premiere professional services firms based in Tennessee. Contact him at sbennett@lbmc.com or 615-309-2420.