The Cloud Is not a “Get out of Jail Free” Card

Slowly but surely, many IT professionals have gotten past the initial fear and anger (which was based on the idea that the Cloud would drastically change or even eliminate their jobs). They are not only accepting the move to the cloud, but looking at it as a way to offload some of their responsibilities, especially in the area of security. It’s natural for overworked personnel to embrace the idea that now security is one less thing they need to worry about, but I think that’s a mistake.

Cloud computing is not a panacea for security woes. What Cloud computing will do is delineate separate areas of responsibility and allow corporate IT admins to focus more on securing the clients and mobile devices and remaining on-premises services (and there inevitably will be some) and not spread themselves so thin. Here’s how IT security will look after your move to the Cloud:

Cloud providers will obviously handle physical security related to their servers and network. They will also take charge of securing the software and data on those servers. Their roles (and yours) will differ slightly depending on whether they are providing software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS).

In any event, the cloud providers certainly have an obligation to their customers to ensure that their infrastructures have proper security controls in place to protect the applications and information that reside on their physical and virtual machines. But that doesn’t absolve cloud customers of their own obligations to their users, their companies’ clients, and others who entrust data – sometimes including very personal or confidential information – to them.

If you’re in a regulated industry such as healthcare or financial services, your organization is required by law to protect the privacy of certain client data. Whether you store the electronic forms of that data on your own premises or in the cloud, the liability rests with your organization if the data is compromised. Even if the physical location of the data is not on your premises, you are ultimately responsible for compliance and reporting. It’s up to you to make certain that not only are the proper logs and audit trails maintained, but that they are secured but accessible if/when needed.

Your security responsibilities begin with the process of choosing a cloud provider. The Federal Risk and Authorization Management Program (FedRAMP) in the U.S. is a government program that brings together cybersecurity and cloud computing experts from agencies such as DOD, NSA, DHS, NIST and more, along with private industry experts, to  provide security assessment of cloud service providers.

Some decision makers might assume that because a particular CSP is FedRAMP approved, its services will be just as secure as every other approved CSP. They’re thinking in terms of programs such as the FDIC (Federal Deposit Insurance Corporation), which guarantees that the money you deposit in an FDIC insured financial institution (in certain types of accounts and up to certain limits) is safe even if the bank fails. However, the two are in no way comparable. FedRAMP is not an insurance program; it’s merely a program for certifying that certain standards are met.

All CSPs approved by FedRAMP (or any other assessment program) are not likely to all be equal in terms of the level of security you get, any more than all physicians who meet the minimum standards to obtain a license to practice are equally competent. Approval status should be a starting point only.

On the other hand, not every business needs the same level of security for their cloud-based apps and data. It’s important to do a security needs assessment before you start comparing providers. Consider what types of services you are planning to move to the cloud, how sensitive the data is that you plan to store in the cloud, and what legal mandates (if any) your business falls under.

You should ask plenty of questions of each cloud provider you consider – don’t assume anything. Find out about the physical location and environment of the datacenter(s) and especially, how much separation is there between different customers’ networks and resources. A multi-tenant environment presents obvious security concerns; you want to know how the provider addresses them. Find out whether the provider hosts everything in the datacenter, or operates in a tiered environment, where the provider gets services from other providers.

Ask specific questions about such matters as identity management, access control technologies and authentication. Certainly two-factor authentication is a minimal requirement but what types of factors are used and who is the provider of the certificates or tokens? What type of encryption is used to protect data? Ask about preventative security measures such as patch management and deterrent measures such as firewalls and IDS/IPS. Also ask what incident response measures have been established, and find out what HR practices exist to screen the cloud provider’s personnel who will have access to your data.

Moving some of your IT services to the cloud can save money, lighten the burden on corporate IT, and free up facility resources. The move to the cloud doesn’t have to come at the expense of security – but the cloud is not a “Get out of Jail Free” card that liberates you from ever having to think about security again. Instead of looking to put the security of your data into a CSP’s hands, think about how you can work in partnership with your provider to keep your company’s vital information safe.

Looking for a cloud-based solution that can help you easily manage your IT with antivirus, asset tracking, network server monitoring and remote control in one unified platform? Have a look at GFI Cloud today.