Q

Companies should evaluate cloud service security

As cloud services grow in popularity, enterprises must work with IT to decide what belongs in the cloud and how to secure it.

Cloud computing is gaining a lot of traction in the enterprise. Is cloud service security reliable enough yet for businesses?

Although my answer is "it depends," it is critical for security managers to understand that a blanket "no" is not an acceptable answer anymore. Executives and other business leaders are attracted to the cost and convenience benefits of cloud-based providers. However, before any action is taken, the security team needs to know what systems and data would be entrusted to the cloud before they can make a judgment on cloud service secu...

rity.

In addition, organizations need to make decisions about what they are and are not willing to locate in the cloud. Once these baselines have been addressed, project managers can then evaluate the pros and cons of using a cloud provider for a particular function.

Most importantly, the security team needs to know what systems and data are in the cloud.

Most importantly, the security team needs to know what systems and data are in the cloud. A significant downside of the cloud is that any employee with a corporate credit card can now be his or her own procurement officer. These types of "shadow IT" scenarios lead to the worst possible situations -- the unknowns. If data has been moved into the cloud but no one in IT knows, security can't properly vet a provider or keep tabs on that provider's ongoing performance. Blindfolding the security team won't make applications any safer.

After policing to make sure that unknown data is not depending on cloud service security, organizations then need to make decisions about what data and systems they are willing to host in the cloud. Regulatory requirements might dictate what can or cannot be put into the cloud. Corporate policies might have even more stringent requirements.

Organizations searching for a starting point can look at their existing corporate data classification policy. Policies about how different types of data must be handled may disqualify certain information or functions from using cloud-based providers. These same protocols might also highlight other functions that are well-suited to cloud-based solutions. In order to be truly helpful, policies may need to be extended to create cloud-specific guidance for IT departments and line-of-business (LOB).

There are pros and cons to relying on cloud providers. Cloud service security can be scary for some IT teams to accept. All cloud computing involves a loss of control, as someone else is responsible for provisioning, running and maintaining the servers and software. Cloud services are also an attractive target for attackers because a successful breach can potentially provide access to data for a number of organizations.

However, in some cases cloud options may be more secure than on-premise ones. Quality cloud providers have mature security operations programs, such as threat intelligence, backups, patching, intrusion detection and response. Security managers need to ask themselves honestly how well their organizations perform these and other critical tasks.

There are certain economies of scale cloud providers are able to take advantage of, which is often very attractive to small- or medium-sized businesses, but is also increasingly valuable to enterprise organizations as well. In addition, some organizations offload business processes such as credit card processing to cloud providers in order to reduce the scope of compliance efforts, like peripheral component interconnect.

Cloud providers can offer a lot of value for IT departments and LOB, but the decision to move services and data into the cloud has to be done deliberately. Putting definitive processes in place can help avoid the creation of "shadow IT" operations and can help prevent data sprawl. With enough upfront planning, enterprises can take advantage of the benefits offered by cloud providers without allowing their IT operations to spiral out of control.

Next Steps

Next Steps:

http://searchsoftwarequality.techtarget.com/answer/Changing-from-on-premises-to-cloud-based-infrastructure

http://searchcontentmanagement.techtarget.com/feature/Cloud-based-records-management-takes-off

http://www.computerweekly.com/news/2240221356/Cloud-innovation-boosts-card-data-security

http://searchcloudapplications.techtarget.com/news/2240220493/Rogue-apps-on-the-rise-Reap-the-benefits-of-shadow-IT

This was first published in June 2014

Dig deeper on Software Project Management Process

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Dan Cornell asks:

Do you trust the security of cloud service providers?

1  Response So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close