Thought that title may grab a few eyes.....There is a perception that moving to the Cloud opens up organisations to new and greater security risks than what they currently face, (by maintaining a fully internal managed systems model). The security industry is telling us this – I’ve been talking about it for years but, lets put some perspective to it. It’s not that clear cut.....(all the time)....
I would say the perception is true in the ideal world where businesses have their act together in regards to securing their environments – effective management and governance structures, risk management strategy that doesn’t fail RM 101 – knowing the whole environment, encompassing policies and standards, regular security awareness/education commitment, ongoing security assurance program, working and tested Incident Management and Response capability and ongoing overall security strategy analysis....Are all the components just mentioned working as well as they should be?
I would say the perception is true if companies head into the cloud without doing their security due-diligence and sign-up to a service blind – so to speak in regards to security – making assumptions. It happens all the time. At a minimum, this due-diligence should entail; understanding the cloud provider’s security model, what sort of security assurance program is in place, what level of testing is done and how often, how are security issues addressed, what level of transparency is there for the client, and most importantly, security testing the solution yourself.
For the latter, we’ve worked with many clients and cloud providers. With committed cloud providers, they’ll work to improve their security to a level expected by discerning clients. I note; “committed cloud providers” because some are not committed to the security of their client’s data. Some are happy to let a potential client walk away from the deal because they have decided that that client’s business is not a significant enough blip on their radar to warrant the development effort to improve the security of their environment, or worse, the development effort is not core to their primary cause, ie; building up a large client base. If you get this sense from a Cloud provider, the alarm bells should be ringing. Be careful making “compromises”.
But, with a committed cloud provider, on the balance of real-world situations, I put it to you that the Cloud may well be improving many aspects of corporate security when compared with how companies may do things today. Let’s move away from the “ideal world” scenario mentioned at the start of this article and have a look at some realities using an example scenario here:
Company X has always developed and managed their own HR system. (Replace “HR system” with any Cloud-based type of service you may be interested in). They’ve never been overly conscious of, nor really paid attention to security, to the levels they should. (Their CSO has been trying to improve their practices for years but with little luck – same old story). Their HR system sits on un-patched boxes, data is transmitted and stored in the clear, their policies around access control and authentication are weak, secure coding is something they only read about, and the system is never security tested. Also, being a “legacy” system, the company doesn’t want to spend anymore money on it.....But, it contains some of the most sensitive data in the company.
In a scenario where a company moves such a system to a cloud-based solution and has done it’s security due-diligence, has the company made the system and the information in the system any less secure? Where previously, this data resided in an environment of questionable security, without a complete picture of the overall risks in the environment, it now resides in a somewhat silo’d environment (clear of a larger insecure environment), that has been tested, is supported by contractual obligations from the provider and has some tighter scrutiny on it, (you would hope), because it is “outsourced”. In cases like this, you can argue that there has been a positive change.
Aside from the usual “business” reasons for moving to the cloud, and I never thought I would say it, companies should add “security” as a potential selling point to the business case, (IF as mentioned, it is done right). Of course, that does not mean the company can sit back and assume their duty of care of data security for those systems is now someone else’s obligation. Regardless, at the end of the day, each company is STILL ultimately responsible for their data security. They just need to decide where their data will be more secure when considering the Cloud.
I welcome your thoughts.
On another note, Australia’s best IT Security Conference, Ruxcon has opened Registrations.