Cloud adoption is now mainstream, and all types of cloud services ranging from on-premise private cloud (adopted by 44% of organizations), to hosted private cloud (adopted by 34% of organizations) to the three types of public cloud are seeing growth in adoption. The key challenge is connecting the different cloud services into hybrid and multicloud environments and to put a comprehensive management, governance and security framework in place across the various clouds.
1.SECURITY: CLOUD INHIBITOR OR CLOUD ENABLER?
IDC’s CloudView Survey: n = 781; IDC’s 2017 Cloud Impact Survey: n = 756 An IDC InfoBrief, sponsored by Security is still seen as the biggest concern when organizations consider cloud services. Increasingly, organizations are starting to view security as a benefit of using cloud services, as cloud providers are investing in security certifications, technologies, and staff to ensure secure operations. Organizations need to be aware that they are always ultimately responsible for the data they store and process in the cloud, so they need to invest in security concepts for the cloud.
2. GDPR IMPLICATIONS WITH A CLOUD STRATEGY
The EU’s General Data Protection Regulation (GDPR) means organizations need to reconsider their use of cloud services. The market is polarized between:
- Those accelerating the use of cloud services because cloud service providers are investing heavily in GDPR compliance
- Those reconsidering their cloud strategy or even moving back from the cloud
To be compliant with GDPR, cloud service users need to understand their own responsibilities in a shared liability model and ask themselves:
- Do we know if we have personal data in the cloud?
- Do we know where (in which country) this data resides?
- Is the data protected from loss?
- Can we delete the data if required?
3. CLOUD APPLICATION VISIBILITY AND CONTROL ARE KEY.
HOW TO BE SECURE AND MANAGE COMPLIANCE IN THE CLOUD: VISIBILITY IS KEY
- MAKING THE INVISIBLE VISIBLE
Most of the time, security and compliance derive from making the invisible visible. If you don’t know which cloud services are being consumed in your organization, you have no chance of ensuring consistent compliance across all cloud services. As a starting point, you need to scan your IT environment to identify all the sanctioned and unsanctioned cloud services in use.
- ASSESS WHO IS USING THE CLOUD SERVICES
Once you have visibility into the cloud services in use, you need to assess who is using the cloud services, where they are placed, and how much of a risk they are — and then determine a strategy for future cloud service use. When choosing the right partner for your cloud security journey, you want to make sure that you can choose which cloud services you want to block or actively manage and which services will be whitelisted/wide open/uncontrolled.
- USING CASB TECHNOLOGY
The best technology to apply is a Cloud Access Security Broker (CASB), also known as Cloud Security Gateway (CSG). CASB solutions provide a buffer zone between the user company’s on-premise environment and the cloud service provider’s infrastructure. By tracing activity in and around the corporate off-premise environment – acting as a proxy – CSG/CASB provides an unobstructed view into operations involving both sanctioned and unsanctioned applications and devices as well as accessing users. This kind of logging is what enables greater visibility into actions on the corporate network and in the cloud.
Determine what applications are being used
- Which apps are safe and which are risky?
- What do I want to stop? Manage? Ignore?
- How will I do identity management?
- How do I secure the path from premises to cloud?
- What data is out there? What do I need to protect?
- Should I use the CASB via API, proxy, or both?
- What clouds will I be using today and in the future?
HOW ORGANIZATIONS PLAN TO SECURE DATA IN THE CLOUD FOR COMPLIANCE
4. DATA MANAGEMENT AND DATA LOSS PREVENTION IN THE CLOUD ARE ESSENTIAL.
After establishing visibility into cloud applications usage, the next important goal is to put the right controls in place. Tight management of data in the cloud has positive implications for general good practice in security. However, it also contributes towards compliance with the EU’s General Data Protection Regulation (GDPR) relating to the privacy of personal data processing.
The best practices for securing data in the cloud:
- Encrypt data at rest
- Use a DLP solution in the cloud
- Deploy an identity and access management solution
- Control access from different devices
- Create/refine/assess general data and sensitive data retention policies in the cloud
- Ensure that you have a backup and recovery mechanism to handle emergencies
TOP CLOUD SECURITY CONCERNS
5. BEHAVIORAL ANALYTICS FOR RISK ADAPTIVE PROTECTION
After addressing visibility and data protection, the next key step is understanding your users and their behavior in the cloud. When users have access to multiple cloud services, you need to understand how they are interacting with the data and the cloud service. For example, is the kind of data being moved into the cloud in line with company policy? Are they accessing the service at a suspicious time? Is it usual for a user with this profile to use a particular cloud service?
SECURITY THAT ENABLES THE BUSINESS
We know that users mainly just want to do their job, in the way they see as being best for the business. The problem is that what users see as being best may not be what is best for the business, or for security.
BEWARE THE INSIDER THREAT
For example, placing sensitive customer data in an unprotected cloud environment may be helpful when it comes to collaborating to meet customer needs, but may not be the best approach for all stakeholders. This kind of “hapless” insider threat is a serious issue for European enterprises.
HOW TO DRIVE CLOUD SECURITY IN YOUR ORGANIZATION
Cloud services are becoming mainstream and organizations are building hybrid and multi-cloud environments. To make your cloud journey successful, you need to build and end-to-end security framework that spans both on-premise and cloud infrastructure, applications, data and users. Here are three key considerations to drive cloud security in your organization.