12 Cloud Questions Every Company Should Ask Itself
Demand for cloud services continues to surge, driven by corporations interested in software flexibility and scalability. But how secure is the cloud? No surprise, analysts predict security products and cloud-based security services will be a nearly $9 billion market by 2019.
With recent high profile cyber-attacks at companies like Sony and U.S. government agencies, cloud security is in sharp focus.
As we said in August, the C-suite likes the cloud’s flexible OpEx model (often deployed as a subscription-based cloud service) but may not totally grasp the implications of adopting the cloud. This can lead to well-founded (and not so well-founded) fears about the security of a cloud solution. As a result, many large companies are investing in the private cloud, while slowing their use of the public cloud.
According to one estimate, companies with more than 1,000 employees use an average of 1,154 cloud-based services, “ranging from enterprise-ready services procured by the IT department such as Office 365 to far lesser known and riskier services such as FreakShare.”
The report further estimates that sensitive corporate data makes its way to the cloud routinely, with 15.8 percent of documents in file-sharing services containing some form of sensitive content.
As we mentioned in our mid-year review, “Cybersecurity concerns have led many decision-makers to take a step back and consider private cloud or hybrid solutions as the starting point. Intrusions into corporate databases at Target, Sony, Home Depot and, just recently, the hacking of 22.1 million Federal employee records have led companies to think twice. Security issues, which have always been part of the cloud debate, are now center stage.”
While the above-named breaches generated quite a bit of attention, a study by the Ponemon Institute showed that breaches are much more widespread, with an estimated 43 percent of companies having experienced at least one data breach in 2014. Clearly, the enterprise cloud and local applications are both under attack. So what are corporations expected to do?
The bright side of this story is that many of the same security practices used to secure traditional enterprise applications also apply to the cloud.
To focus on preventing the risk of data breaches, ask yourself:
#12: What is your company policy when it comes to managing sensitive data and file sharing? On average, more than 25 percent of employees will upload files containing sensitive data to the cloud.
#11: Are your cloud-based applications being monitored for inbound and outbound traffic anomalies? The difference between a minor incident and massive breach often comes down to the ability to quickly detect, contain and mitigate an attack. Analysts at the Ponemon Institute estimate it took retailers, on average, 197 days to identify an advanced threat and 39 days to contain it, while financial services organizations needed 98 days to identify and 26 to contain.
#10: How flexible and collaborative is your IT department in meeting the challenges associated with new technologies and quickly responding to security threats? The majority of IT managers are seeing a shift toward more collaboration and pooling of previously siloed resources, opening up opportunities for better cloud security measures.
#9: Is your cloud service provider responsible for security? To fully secure data in the cloud, enterprise IT teams should never solely rely on their cloud provider. Ensure you have a solid security strategy in place that is agnostic to the location of your data and applications.
#8: How do you handle the riskiest of apps, storage? Cloud-based storage applications have access to very sensitive corporate data, particularly financial data.
#7: When do you identify and stop malicious insiders? A 2015 Experian study claimed that employees, particularly those working remotely or using their own mobile device, accounted for more than half of security incidents last year. A current or former employee, contractor, or a business partner with access through IaaS, PaaS, SaaS or traditional infrastructure, can often be the source of an enterprise’s greatest risk.
#6: How do you protect credentials from theft? In 2010, Amazon was subject to a cross-site attack that used malicious scripts in a benign account to launch more attacks. Many companies are prohibiting the sharing of accounts and now require strong two-factor authentication techniques.
#5: Are you ready for next-generation technology and the Internet of Things (IoT)? Gartner predicts that the IoT market will grow to 26 billion units by 2020. With the proliferation of connected devices, is it any surprise that IT managers are increasingly concerned about the security risk of those devices?
#4: Do you allow employees to use their own devices? The rise of bring-your-own-device (BYOD) and bring-your-own-application (BYOA) means that many cloud services and tools are sneaking into organizations under the noses of IT leaders. In a recent survey, more than half of the IT respondents said that when it came to cloud services, the biggest challenge was assessing the security risk before employee adoption.
#3: How do you define and determine the best ways to deal with cloud abuse? The Cloud Security Alliance defines cloud abuse as “a bad guy using a cloud service to break an encryption key too difficult to crack on a standard computer. Another example might be a malicious hacker using cloud servers to launch a DDoS attack, propagate malware, or share pirated software.”
#2: What cloud technologies are being shared, and with whom? Cloud service providers often share infrastructure, platforms and applications to deliver their services in a scalable way.
“Whether it’s the underlying components that make up this infrastructure (e.g. CPU caches, GPUs, etc.) that were not designed to offer strong isolation properties for a multi-tenant architecture (IaaS), re-deployable platforms (PaaS), or multi-customer applications (SaaS), the threat of shared vulnerabilities exists in all delivery models,” writes the Cloud Security Alliance.
#1: Are you using the right tools? 60 percent of UK IT managers surveyed by The Register‘s cloud survey said they were using VPN connections, but only 34 percent said they were using cloud firewalls or encrypting data at rest. “The numbers continued to drop in regards to other preventative measures until the bottom of the list where only 15 percent percent said they were using obfuscation or tokenization of sensitive data,” The Register reported.
How do you secure your cloud applications? How many cloud-based apps are your employees using today?
Follow me on Twitter at @Pat_Patterson_V