There are many benefits to cloud computing: access from anywhere, scalable storage, virtualization, simple maintenance. However, adopting cloud computing means you need to find a way to secure cloud communications. If the cloud is a series of disparate hosted services delivered over the Internet, then the connectivity channels to those hosted services need to be protected. Delivering secure cloud communications requires you to secure access to those remote services, which is a different discipline than protecting assets within your firewall.
According to an IBM research survey, data breaches are the most common and costly security problem. There are, on average, 2 million cyber-attacks each week costing organizations on average $300,000 per incident. InformationWeek research says that 72 percent of all IT professionals surveyed see a partner or vendor as a security risk, especially with the boom in big data, where lowering the firewalls to promote open data sharing increases risk. Since you only have control over those computing assets within the enterprise, you have to use different strategies to ensure secure cloud communications since you don’t have control over the physical data repositories.
There are many ways to think about cloud security, but the most useful approach is thinking about secure cloud communications as a form of risk management. To mitigate risk, here are four factors that you need to asses as part of secure cloud communications:
1. Compliance – Compliance is complex, but non-compliance is more expensive, 2.65 times more expensive according to The Ponemon Institute. Fines for failing to comply with HIPAA or Sarbanes-Oxley regulations can run into millions of dollars. If you are audited the court may demand that you produce copies of emails or data records to demonstrate compliance, and the fact much of that data may reside in the cloud should not be a problem.
Your best defense is to know your data. Monitor email and cloud communications using content inspection software to watch for non-compliant communications, such as authorization data or financial performance information. Establish and enforce policies that will satisfy the auditors, and remember that with right protocols in place, it’s often easier to use a cloud service provider’s tracking log to satisfy the auditors.
2. Identity and access management – When your employees start using company credentials to access data beyond the firewall, you have to make sure authentication supports secure cloud communications and it doesn’t break. The authentication schema you use within the enterprise may not be compatible with your cloud services. You can try centralized credential management, adopting OpenID, federating identity, of other strategies, but you have to manage credential brokering to third parties. For example, when an employee leaves the company you can revoke network access, but what about access to cloud-based services you do not directly control?
Using a central identity service consolidates control and makes it easy to grant partners and vendors secure access without losing control. Many secure cloud communications authentication approaches use encryption, single sign-on, or data tokenization. Make sure your authentication controls are adequate and manageable.
3. Service availability – Part of risk management is making sure services are available when you need them. With cloud computing you don’t have direct control over uptime so it’s more difficult to manage outages. However, you can mitigate risk by choosing cloud services that offer greater resiliency and guarantee availability with strong service level agreements (SLAs).
Your best strategy is to pick a reliable cloud vendor. Remember there is safety in numbers, and multi-tenancy makes it easier to leverage services that offer reliability, resilience, and scalability. Thinking back to concerns about compliance, also make sure the cloud vendor archives data traffic, such as email, for eDiscovery in the event of an audit.
4. Incident response – With cloud computing there is more risk of an incident, and more tools available for incident response. Since you can’t physically disconnect an infected machine, you have to rely on cloud service providers to stop a malware outbreak or data breach for you.
Using virtual data models you can lower your risk of infection or data loss as part of secure cloud communications. If you are attacked or malware is detected, the cloud provider should be able to provide a log for most of the cloud applications. These logs will be effective in identifying the source of the incident and suggest an appropriate response.
Secure cloud communications is a matter of identifying areas of potential risk and delegating ensuring you have reliable resources to address those risks, such as reliable cloud vendors, with sufficient policies, procedures, and protocols in place to address as many possible threats as necessary. If you can think like an auditor, or a potential hacker, and then identify weaknesses in the cloud infrastructure, you can plug the weaknesses before they become leaks.