A lack of cloud security can be expensive. In health care, for example, the HIPAA Omnibus Rule states that cloud computing service providers are directly liable for HIPAA security compliance. Under the HIPAA Omnibus, non-compliance or data breaches can lead to fines as high as $1.5 million per violation, so it’s worth your while to understand the ins and outs of cloud security.
The need for greater cloud security is increasing as companies grant third parties access to sensitive information as part of big data analytics and other collaborative services. According to an InformationWeek study, “Compliance in the Cloud Era,” 72 percent of respondents see at least one partner or vendor as a security risk. Here is the list of top cloud security concerns that are driving compliance:
- 58 percent - Fear of legal fines or repercussions
- 41 percent - Internal requirements to manage risk
- 41 percent - Fear of corporate embarrassment and negative publicity
- 33 percent - Proactive effort to meet customer needs and expectations
- 31 percent - Fear of negative audit results by a third-party
- 18 percent Proactive push to meet partner needs and expectations
- 7 percent - Need to address problems uncovered in a previous audit
- 3 percent – Other
As you can see, the risks posed by potential audits and third-party data access are creating more demand for cloud security. Here are five things to consider to ensure that your cloud data repository is secure and compliant:
- Secure devices for cloud access – As the lines between personal and business computing continue to blur, more devices are being used to access the cloud – laptops, smartphones, PDAs, tablets, etc. To save a lot of time and trouble, consider leaving control of access hardware in the hands of users. That way you don’t have to try to manage all those devices. However, you should be sure to impose at least two security controls: A) User authentication. Use a combination of user ID and password, user ID and security token, or user ID and public key infrastructure (PKI) credentials. B) Secure remote browser access. Use some kind of secure connection like a Secure Sockets Layer (SSL) tunnel or something associated with device-level PKI credentials.
- Secure availability of the cloud platform – Most cloud infrastructures are made up of virtualized storage, computing, networking, or “infrastructure as a service.” The enterprise cloud model is expected to evolve into a combination of virtualized and physical resources, so IT will have control over a portion of the computing and storage resources. Be sure that you have the same security measure in place you use for access devices – authentication and secure connection. Also be sure you have standard data protection measures against malware and other threats. Extend that protection to the virtualization layer with specific malware protection, firewalls, and intrusion detection and prevention.
- Identity and access management – As you move to the cloud, you need to maintain auditing and reporting, especially as part of cloud security and compliance. Identity management services that will help you monitor and manage cloud security provisioning and governance. You can outsource these to “security as a service” providers, but be sure they provide account management, access control, credential managing, authentication, identity-level auditing, identity provisioning, and identity federation.
- Security and compliance management – You need to make sure you have the right services in place for patch management, user configuration, capacity management, availability management, and the like. Of course, cloud security requires more than just security technology. It also requires policies and procedures, secure business processes, and adequate employee training.
- Managing cloud stakeholders – Those who have a stake in the cloud fall into three categories – users, service personnel, and service governance stakeholders. Each has a different set of cloud security processes, policies, and procedures. Users, for example, need credentials, cloud access rights, and a classification level. Service delivery personnel such as architects, developers, and administrators need to ensure proper security configuration and operation. Governance stakeholders include IT managers, CSOs, and auditors; anyone who needs to address auditing and compliance.
Most of these security measures should be covered under your organization’s governance for cloud security. Start by taking an inventory of your cloud computing assets and your business requirements. Consider your audit requirements. Look at your identity access management procedures. Consider your requirements for event management. And make sure your users are properly trained and made security conscious. Cloud security compliance is a matter of preparing for the worst and being able to prove you are secure in the event of an audit. Your best bet is to think like an auditor and build a security framework that addresses all the potential regulatory challenges.
What’s your biggest compliance challenge? Is it internal or external? Are you more concerned with technology or personnel? We’d be interested in hearing from you.