Trust needs to be achieved, especially when data is stored in new ways and in new locations, including for example different countries.
What is different about cloud?
Cloud computing moves us away from the traditional model, where organisations dedicate computing power to a particular business application, to a flexible model for computing where users access business applications and data in shared environments.
Cloud is a consumption and delivery model; resources can be rapidly deployed and easily scaled (up and down), with processes, applications and services provisioned ‘on demand’. It can also enable a pay per usage model.
In these models the risk profile for data and security changes and is an essential factor in deciding which cloud computing models are appropriate for an organization.
What are the security challenges cloud introduces?
There are existing security challenges, experienced in other computing environments, and there are new elements which are necessary to consider. The challenges include:
- Governance – Achieving compliance and management in the cloud
- Data – Information shared inside and outside the organisation
- Architecture – New web architecture, infrastructure and threats
- Applications – Applications on the phone, internet and in a virtualized cloud
- Assurance – Audit and monitoring in a virtualized/cloud environment
What can be done and what should be considered further? Many of the risks identified can be managed through the application of appropriate security and governance measures. Which risks you choose to address will be different depending on your business, your appetite for risk management and how costly these measures are.
In many cases the complexity of securing cloud comes not just from the individual application but how it integrates into the rest of the organization.
Step 1: Define a cloud strategy with security in mind. Identify the different workloads and how they need to interact. Which models are appropriate based on their security and trust requirements and the systems they need to interface to?
Step 2: Identify the security measures needed. Using a framework such as the one IBM uses, the IBM Security Framework and Blueprint, allows teams to capture the measures that are needed in areas such as governance, architecture, applications and assurance.
Step 3: Enabling security for the cloud. The upfront set of assurance measures you will want to take. Assessing that the applications, infrastructure and other elements meet your security requirements, as well as operational security measures.
Cloud security can be delivered as part of the cloud service and also as specific components added in to enhance security. Depending on your cloud provider it may be that a combination of both of these approaches is necessary.
Cloud computing offers new possibilities and new challenges, however the fundamental principles of security and risk management still apply. Fundamentally it is important to be able to assure the security of these new models in order to build trust and confidence. The key to establishing trust in these new models is choosing the right cloud computing model for your organisation, Placing the right workloads in the right model with the right security mechanisms.
- For those planning to consume cloud services looking for trust and assurance from the cloud provider; understanding the service level agreements and the approaches to security is key. Assessing that this can be delivered, including what assurances can be provided will be important.
- For those providing or building a cloud infrastructure, using a proven methodology and technologies that can deliver appropriate security is key.
Schedule a consultation today to learn how Flagship can help you design and implement an effective cloud security solution.
If you liked this blog, you also might like: More Than a Trend, Cloud-hosted Security Makes Business Sense