Cloud computing is gaining a lot of traction in the enterprise. Is cloud service security reliable enough yet for businesses?
Although my answer is "it depends," it is critical for security managers to understand that a blanket "no" is not an acceptable answer anymore. Executives and other business leaders are attracted to the cost and convenience benefits of cloud-based providers. However, before any action is taken, the security team needs to know what systems and data would be entrusted to the cloud before they can make a judgment on cloud service security.
In addition, organizations need to make decisions about what they are and are not willing to locate in the cloud. Once these baselines have been addressed, project managers can then evaluate the pros and cons of using a cloud provider for a particular function.
Most importantly, the security team needs to know what systems and data are in the cloud. A significant downside of the cloud is that any employee with a corporate credit card can now be his or her own procurement officer. These types of "shadow IT" scenarios lead to the worst possible situations -- the unknowns. If data has been moved into the cloud but no one in IT knows, security can't properly vet a provider or keep tabs on that provider's ongoing performance. Blindfolding the security team won't make applications any safer.
After policing to make sure that unknown data is not depending on cloud service security, organizations then need to make decisions about what data and systems they are willing to host in the cloud. Regulatory requirements might dictate what can or cannot be put into the cloud. Corporate policies might have even more stringent requirements.
Organizations searching for a starting point can look at their existing corporate data classification policy. Policies about how different types of data must be handled may disqualify certain information or functions from using cloud-based providers. These same protocols might also highlight other functions that are well-suited to cloud-based solutions. In order to be truly helpful, policies may need to be extended to create cloud-specific guidance for IT departments and line-of-business (LOB).
There are pros and cons to relying on cloud providers. Cloud service security can be scary for some IT teams to accept. All cloud computing involves a loss of control, as someone else is responsible for provisioning, running and maintaining the servers and software. Cloud services are also an attractive target for attackers because a successful breach can potentially provide access to data for a number of organizations.
However, in some cases cloud options may be more secure than on-premise ones. Quality cloud providers have mature security operations programs, such as threat intelligence, backups, patching, intrusion detection and response. Security managers need to ask themselves honestly how well their organizations perform these and other critical tasks.
There are certain economies of scale cloud providers are able to take advantage of, which is often very attractive to small- or medium-sized businesses, but is also increasingly valuable to enterprise organizations as well. In addition, some organizations offload business processes such as credit card processing to cloud providers in order to reduce the scope of compliance efforts, like peripheral component interconnect.
Cloud providers can offer a lot of value for IT departments and LOB, but the decision to move services and data into the cloud has to be done deliberately. Putting definitive processes in place can help avoid the creation of "shadow IT" operations and can help prevent data sprawl. With enough upfront planning, enterprises can take advantage of the benefits offered by cloud providers without allowing their IT operations to spiral out of control.
Dig Deeper on Topics Archive
Related Q&A from Dan Cornell
Is it safe to move from on-premises application lifecycle management tools to cloud-based tools? Read this expert answer to find out. Continue Reading
Can security impact application performance? What security vulnerabilities might be slowing us down? Continue Reading
As our developers incorporate more and more third-party software components and partner APIs that we don't have direct control over, how do we test ... Continue Reading