Is your business thinking about going cloud but standing on the sidelines due to security concerns? While you are not alone, it could be that your anxiety is in vain. Jay Heiser, a Gartner analyst, shares research that suggests most of the effort spent on public cloud risk assessment is a waste of time, fixating on hypothetical security risks, when companies should really be putting their attention on business needs for control and governance.
A recent Gartner survey of customers related to using cloud-based services resulted in in the not -too-surprising finding that security concerns are the biggest inhibitors faced by enterprise IT when they consider moving applications or infrastructure to the cloud. The overwhelmingly top choice for the respondents was cloud security, with other concerns including government snooping and data integration challenges.
For IT managers who need to make defensible decisions about public cloud, their overriding concern is that the services and solution that they choose are are safe and compliant. Heiser shared with the Microsoft Ignite audience an analogy of how often Facebook opinions about some subject-of-the-day are influenced by an individual personality – to the point where one person can sway the views of many others who have either limited knowledge of the subject or no strong feeling either way.
Similarly, highly publicized security incidents may negatively influence an IT decision maker, even though the incident has nothing to do with the cloud service of interest, says Heiser, who at Gartner specializes in IT risk management and compliance, security policy and organization, forensics, and investigation: Some highly publicized security incident may negatively influence a decision maker, even though the incident has nothing to do with the cloud service of interest.
In reality, Heiser explained, the most common forms of security breaches involve some kind of information-gathering such as a phishing attack. Other breaches have some action on the part of an employee, either deliberately or by mistake. Both of these cases involve a form of human error which, at best, is difficult to detect and is even harder to prevent. In the end, “Cloud services aren’t failing; customers are,” says Heiser.
Heiser’s advice: IT leaders should focus on putting policies and procedures in place. Do that along with adopting specific technology solutions that can help to put the doubting minds at ease, such as explicitly and consistently addressing identity and access management. It does no good to put the strongest firewall and VPN in place if a compromised or expired account gives an attacker access, he pointed out.
A corporate cloud strategy incorporates specific details concerning risk acceptance, service ownership, and usage management. Creating one, said Heiser, represents one of the most important measures a company should take.
At the end of the day, it is your responsibility for defining and implementing specific security measures for the entirety of the IT operations, regardless of where the services are based. While this type of planning does require a measure of technical competence, it can be outsourced or supplemented when necessary.
Heiser’s final bullet list of recommendations included the following:
- Build cloud security and control competencies
- Develop and enforce Cloud Governance policies
- Data classification and risk acceptance
- “Ownership” of data and departmental applications
- Manage your accounts (especially privileged users)
- Ensure that you have contingency plans
- Demand cloud service providers follow standards and provide third-party security assessments
Heiser’s bottom line: Every organization has to be responsible for its own security.
To help you ask the right questions, we’ve assembled detailed advice on what to consider when it comes to cloud security. Download our new white paper, 5 Critical Considerations for the Cloud.