What can you do to mitigate the risk of the cloud?
When it comes to embracing the cloud, there are common security issues that ANZ businesses encounter and certain things they can do to mitigate the risk, according to Gary Gardiner, Fortinet ANZ director of engineering.
According to Gardiner, many ANZ enterprises are taking advantage of the many cost and operational management savings the cloud affords. He says they are finding that unlike in-house IT infrastructure, costs are predictable, operational overheads are virtually nil and businesses can scale up or down with ease.
However, ANZ businesses aren't aware of the security risks presented by the cloud, according to Gardiner.
"The second you store/access any applications or data in the cloud, you're trusting your cloud provider to ensure complete security. It's a big ask," he says.
Cloud security risks are rising, with attacks growing at 45% year-on-year globally, according to cloud security firm Alert Logic. In the next five years, US$2 billion will be spent by enterprises to shore up their cloud defences, according to Forrester Research.
Prospective cloud users can be most at risk, simply because of unfamiliarity with the new environment and the added burden of having to grapple with a new way of managing users, data and security, Gardiner says.
Gardiner has identified five security must-do's for ANZ businesses pre cloud adoption.
1. Know the cloudy areas
Gardiner says there are three main segments in any cloud deployment - the cloud vendor, network service provider and enterprise. Given that the cloud should be treated like an extension of the enterprise data center, the question to ask is therefore: can a common set of security services and policies be applied across the three segments? What are the security gaps?
During vendor selection, Gardiner recommends businesses to ask the cloud vendor what security services it provides and which security vendors it works with. The cloud is a dynamic environment and requires regular updates to the security architecture to stay up with the latest threats. How does the cloud vendor guard against new security exploits and zero-day vulnerabilities? Gardiner says.
It's also important to find out where the boundaries are in the shared security models that come with the cloud service, he says. Gardiner encourages businesses to understand the extent of their cloud provider's responsibilities and their own.
"In some cloud services, such as IaaS, it is the responsibility of the enterprise to secure its applications and data in the cloud. It is therefore important to know what security appliances and vendors the cloud provider offers/allows the enterprise to deploy in the cloud to do just that," he says.
2. New apps, new fortifications
"Ready to move an application into the cloud? Before you do, consider adding new fortifications to the existing security measures you have built around your application's authentication and log-in processes," Gardiner says.
To fortify the access to your cloud application, businesses should have a granular data access scheme. This can be done by tying access privileges to roles, company positions and projects. This will add an additional layer of protection when attackers steal staff's login credentials, Gardiner says.
"Account hijacking may sound basic but this age old breach has been flagged by Cloud Security Alliance as a continuing top threat for cloud users. To fortify your login process, consider implementing two-factor authentication, posture checking and the use of one-time passwords. A good tip is requiring user IDs to be changed at initial logins," he says.
3. Embrace encryption
According to Gardiner, data encryption is one of your biggest security ally in the cloud, and it should be non-negotiable when it comes to file transfers and emails. While it may not prevent hacking attempts or data theft, it can protect a business and save an organisation from incurring hefty regulatory fines when the event happens, he says.
"Ask your cloud vendor about their data encryption schemes. Find out how it encrypts data that is at rest, in use, and on the move. To understand what data should be encrypted, it helps to get a handle of where they reside - whether in your cloud vendor's servers, the servers of third-party companies, employee laptops, office PCs or USB drives," Gardiner says.
4. Wrestling with the virtual
Moving into the cloud lets businesses reap the benefits of virtualisation, but a virtualised environment can present challenges to data protection. The main issue has to do with managing the security and traffic in the realm of multi-tenancy and virtual machines, according to Gardiner.
He says, physical security appliances are typically not designed to handle the data that is in the cloud. This is where virtual security appliances come in - to secure traffic as it flows from virtual machine to virtual machine. Such appliances are built to handle the complexities of running multiple instances of applications, or multi-tenancy.
They therefore let businesses exert fine security control over their data in the cloud. According to Gardiner, businesses should ask their cloud provider how it safeguards its virtual environment and find out what virtual security appliances it is using. If the business is building its own private or hybrid cloud, it should consider getting virtual security products that focus on granular control, he says.
5. Don't be in the dark about shadow IT
"There is no shortage of anecdotes and reports out there that point to how the unauthorised use of applications and cloud services, or shadow IT, is on the rise among businesses. The uncontrolled nature of this poses a security threat and governance challenge," says Gardiner.
He says, "Your new cloud application will be at risk because of this. Consider the simple scenario in which your employees use their smartphones to open a file on their device. It is likely that the phone will make a copy of the file, which could then be sent to an unapproved online storage destination when the phone does its routine automatic backup. Your secure corporate data has just been moved to an insecure location.
"Preventing access to shadow IT is unlikely to stop its growth in any given organisation. It is more effective to educate your users and use technology to manage the issue. Encryption, network monitoring and security management tools can help defend your first cloud app against the risks of the shadow IT."