The major factor holding many organizations back from adopting a cloud strategy is concern over how to protect data in the cloud. This issue may be overstated as is pointed out in Gartner’s "Top 10 Cloud Myths." However, it is critical to understand the various cloud models and their risks. The risks will vary depending on how an organization uses the cloud, whether in a public, private or hybrid cloud model. No matter what cloud architecture your organization adopts, there are measures you can take to mitigate your risk.
Start With a Plan
Organizations should strategically approach their migration to the cloud. Start with a thorough evaluation of your data to identify the most sensitive and valuable data to determine the data most at risk. Once the data at risk is understood, organizations need to set policies to protect that data by defining best practices and approved cloud use cases and implementing appropriate governance and compliance controls.
Assess Security Protocols
Assessing a cloud provider’s security protocols are a mandatory part of the evaluation process. Security begins with the physical security of the cloud provider's premises. The provider should have access controls that restrict physical access to its premises, as well as robust online access controls that limit which employees can access your servers. They should provide encryption of logs and data and keep your sensitive data isolated from other cloud customers, even as part of backups. The cloud provider should provide network-level security features including next generation firewalls, intrusion detection and intrusion prevention software.
Review the provider's security-related certifications, including ISO 27001. Depending on your industry and the data you plan to hold in the cloud, you should look how they meet appropriate compliance mandates, such as PCI-DSS and HIPAA. Don't just take the cloud provider's word for it; review any independent audit reports. Once you contract with a vendor, you should plan your own periodic reassessment in case changes at the provider or in the services you require impact the security controls.
Understand Your Risks and Ask More Questions
Don't rely on network-level security, but build strong security functionality into the application layer. Encrypt sensitive data both in motion and at rest. While cloud providers offer encryption, you need to understand how the data is encrypted and how key management is handled. Conduct tests and vulnerability assessments that verify the security of your cloud-based data.
A majority of attacks are initiated through web applications, so find out how your cloud provider protects against vulnerabilities like SQL injections, CSRF, XXS and session management. Create a list of questions for your provider to make sure you have covered all your bases.
Stay in Control
Understand that even though you have vetted your cloud provider, it is ultimately your responsibility to understand the inherent risks of your data, apply controls and manage SLAs. Extend your current security fundamentals to the cloud and understand your back-end processes. In addition, you need to train your employees in safe computing practices and define and enforce BYOD policies and controls.
Realize the Benefits of the Cloud
The cloud offers amazing benefits for those who properly implement and secure their infrastructure. Work with experienced experts to ensure that you have dotted all your i’s and crossed all your t’s when it comes to keeping your organization safe in the cloud.
As an expert provider of hybrid IT solutions, we bring a broad portfolio of choice to our customers while providing high-touch customer service. OneNeck’s hosted private cloud, ReliaCloud® is built with industry-leading products and capabilities and is ideal for traditional applications requiring reliable and scalable computing infrastructure.