As , the changes in how enterprises use technology have made corporate environments harder to protect while increasing the importance of their protection at the same time. When digital data becomes more extensive, businesses are expected to become more ‘open’ and connected, even though the . McKinsey stated cybercrime landscape evolves year after year Cost-saving, flexibility, mobility and security, to some extent, are forcing rapid cloud adoption. A focus on Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) allows organisations to adopt smooth digital transformation and shorten the time to market. Supply chains are also becoming more sophisticated and interconnected. That means responsibility is shared with a vendor, but accountability is still on the business itself. Deploying cloud technology inevitably implies a loss of control in some respects. When it becomes harder to know exactly what data you even own, asset management, vulnerability and incident management become more challenging. As always, awareness of the challenges involved is key to reducing cloud computing security issues and compliance exposure: . Before cloud adoption enterprises enjoyed expansive control over on-premise IT equipment, vendor risk was limited to firmware and software updates. Cloud implementations imply far broader vendor risk. Cloud vendors are responsible for everything from network security to regulatory compliance, and it is challenging for clients to verify the assurances put in place by vendors. Vendor risk . Enterprises that handle personal and financial data face stiff penalties for violating data protection requirements. Regulations such as GDPR mandate that data is controlled and protected to a high degree. It is easier to comply with data regulations when data is stored on-site or on equipment controlled by an enterprise. Data in the cloud is a different matter altogether. Data regulations . Utilising the cloud implies that a wider range of parties will have access to enterprise data, from a wider range of locations. Controlling access rights become more difficult once physical barriers are removed, but handing data to an independent third party automatically implies a loss of control. Credentials and data leakage Mitigating cloud computing security issues and compliance challenges While it’s pretty easy to from a technological perspective, proper governance needs to become a top priority, including compliance, risk management, vendor management, proper data classification, access control and change management. scale to the cloud It is impossible to extinguish all from a closed, on-premise computing platform and it is even more challenging to do so in a cloud environment. However, risk mitigation can be effective in reducing the opportunities for loss, harm or noncompliance to minimal levels. technology security exposures Once your enterprise is aware of the unique cloud computing security issues and compliance risks that enterprise cloud computing poses, it can take mitigating actions: . Every enterprise adopts cloud computing in a different shape and form. Public clouds can be more cost-effective than a private or hybrid cloud, but they involve relinquishing more control over security and compliance aspects. Similarly, opting for Software as a Service (SaaS), instead of IaaS, combined with your own software, implies less direct control over the software environment. Choose the solution that matches your and your client’s risk tolerance. Measure your risk exposure . When using cloud computing, enterprises should remain vigilant against vendor risk. Consider questions around ownership, vendor sustainability and security practices. However, these questions should also be asked of the vendor’s partners as cloud risk management also implies managing risks at the weakest link. Risk-profile your vendors . Cloud security breaches are constantly in the news, and in many cases, the attackers found brand-new exploits. Wise enterprises will rapidly learn from the mistakes of others and ensure cloud computing practices are quickly adapted to guard against rapid changes in the security environment. Rapidly learn from failure . The cloud is easy to use, accessible and open. Users should be educated in good security practices, while enterprise IT management should insist on inconvenient but effective practices such as two-factor authentication. Also, user credentials should be managed with extreme care: cloud credentials are effectively the keys to the premises. Tightly manage user behaviour and credentials . In taking advantage of the cloud, enterprises should strongly focus on the detailed terms of service and ensure that public clouds, hybrid clouds and SaaS/PaaS meet local and international regulatory standards. Understand where your data is stored and ensure that you only work with cloud vendors that practice the required compliance regimes. Get to grips with data compliance From the compliance perspective, you will rely on your vendor’s capabilities to provide , resources and workloads. Make sure you’ve covered the essential aspects from your side as well: data security Make sure the NDA, SLA and security baselines are negotiated Harden your cloud instance according to vendor recommendations Apply and configure custom security controls Encrypt your data before moving it to the cloud Manage encryption keys yourself, whenever possible Deploy honeypots to detect malicious activity Collect and analyse logs “Remember, you’ll be limited when conducting cloud audit, and you’ll need to rely on the 3rd party opinion to verify the cloud provider claims. So, focus on really important audit types like SOC2 Type 2, ISO 27001, CSA STAR, FedRAMP, etc., and check the scope whether those cover all the components you need”, says Iurii Garasym, the Director of Corporate Security at ELEKS. “Also, run penetration testing, monitor the provider yourself where possible, request and check recent OWASP Top10 pen-test reports against their API and portal.” Consider getting help with cloud security and compliance Whether cloud computing security issues and compliance aspects should be managed using internal capabilities or indeed by a public cloud provider or SaaS operator depends on the level of internal expertise your enterprise enjoys, the type of data that is handled and the client environment you operate in. Regardless, deploying an expert in cloud security will be highly beneficial. Cloud risks are unique and require evaluation by a partner that intimately knows how the cloud works, whether it involves developing cloud apps from scratch or migrating existing workflows to the cloud. for an end-to-end review of your enterprise cloud security objectives; we can guide you towards maximum cloud utility with minimum risk. Contact us Originally published at eleks.com on October 19, 2018.
