As we come to the end of 2013, is it still possible that some continue to classify the cloud as not secure enough for the enterprise? Unfortunately, this is true. What’s also true is that most of us rarely hear people talk about cloud risk.
Can we agree that the conversation should really be about cloud risk and risk mitigation? IT and cloud service providers should talk about how everyone should understand what is being protected, the threat level and how enterprises can address the risk. Dealing in these fact-based terms can eliminate the security barrier and allow enterprises to fully embrace the promise of cloud.
The modern cloud infrastructure is built on top of a sound architecture and with security in mind. And there is data and expert advice that demonstrate it’s not about cloud security, but about cloud risk management:
- The 2013 Data Breach Investigations Report (DBIR) found that attacks against virtualization technology were not present in the breaches analyzed.
- An IDG survey concluded that 75 percent of organizations feel confident over their security of information assets in the cloud.
- The CIO of a leading financial organization said that his database administrator with credentials is his biggest risk, not cloud security issues.
To address security concerns, enterprises need to focus on the risk their businesses are exposed to and develop plans to mitigate it. To make it easier, enterprises need to take an information-centric approach. This means, think about the data being protected at every step of the risk mitigation process. With this in mind, there are a few actionable steps that can get you started.
- Start with the business context: Assess what type of information is being handled within the business, who would be interested in obtaining it and how likely it is that they’ll succeed. Once that’s done, consider the appropriate security control options. The Cloud Security Alliance has published a comprehensive list of controls for cloud.
- Research the application: Be mindful that not all applications are designed to meet high security standards. For that purpose, develop protocols that protect them when they are stationary as well as when the data is in motion.
- Develop a data-centric governance plan: Evaluate who needs access to the data and virtual machines and limit it.
- Test the plan and test it again: Once the plan is implemented, be sure to test it repeatedly.
It is clear that the focus should no longer be on cloud security issues but on cloud risk and risk mitigation, as it is the foundation for security in the cloud. Taking into consideration your business objectives, application requirements, and developing a strong governance plan are key to mitigating risk. Taking these steps can liberate any organization from the worrying about security and allow for some peace of mind in the cloud.
