Mind the gap - Cloud Security

06 March 2018

Adoption of cloud computing is rapidly increasing (cloud market is predicted to be worth $383.3bn by 2020 according to Gartner1). Yet, attacks such as the WannaCry ransomware and Equifax data breach have raised concerns around cloud security and have forced organisations to re-evaluate their readiness to move to the cloud.

When asked about their top three concerns on moving to cloud, unsurprisingly, my clients tell me security, followed closely by protecting sensitive data from unauthorised access, and increased complexity of infrastructure.

In my previous blog I explored the need to ask the right questions early on, to clarify who is responsible for security both ‘in’ the cloud, as well as ‘of’ the cloud. So what are the common security pitfalls and how can organisations address them? Here are a few to be mindful of:

Common security pitfalls

How to address them?

Understanding the use of cloud and Shadow IT: Organisations have limited visibility into how cloud is used, apps that are deployed in the cloud, information collected and stored by these applications and more importantly who has access to this data.

Emergence of shadow IT (Shadow IT is hardware or software within an enterprise not managed by the organisation’s IT function) means there maybe multiple cloud providers who are not monitored and managed effectively.

Technical solutions like a Cloud Access Security Broker (CASB) can help increase visibility into cloud activities. They can provide visibility of the services that are running and the data that is at risk.

Organisations will gain a greater understanding of their cloud environment through the use of a cloud discovery tool and identify potential legal, compliance and privacy requirements. This will also enable IT to empower business to embrace technology.

Lack of governance: Often organisations which consume cloud services do not have clear governance on procuring cloud services. This is further complicated by an ever changing compliance landscape. GDPR, for example, introduces significant requirements such as 72-hour breach notification. Various data privacy regulations also require data localisation or restrict data transfer to certain jurisdictions.

The nature of the cloud is such that each service (IAAS, PAAS and SAAS) has to be treated differently to enable effective security and at scale across multiple cloud providers.

An organisation-wide cloud policy needs to be established which will create a structural approach to managing multi-cloud deployments.

Security “of” vs “in” the cloud: Lack of understanding who is responsible for what between organisations and cloud service providers (CSP’s) can eventually lead to security incidents in the cloud which could compromise sensitive data.

Organisations which develop a clear shared responsibility model (RACI framework) with their CSP’s whilst acknowledging that security is a collaborative effort will help  avoid or stop security incidents in the cloud.

Lack of security design processes and procedures: Most organisations do not have policies and standards set for configuring cloud solutions. Their cloud architecture is often the result of ad-hoc efforts driven by developers using cloud as a rapid prototyping environment. Poorly configured systems can allow hackers to exploit vulnerabilities and lead to malicious intrusion.

Companies should have a cloud architecture that is designed with security in mind.

Organisations should define standards for configuring existing and new cloud services; they should include robust security practices. Security architecture should include identity and access management and governance, data protection and encryption, data loss prevention, and security monitoring and operations.

Security as a habit: Security is often an afterthought rather than approached with acceptance and preparation. Cloud security needs to shift from being exclusive to being inclusive in order to facilitate this cultural change.

For security to be effective, security process and people need to be involved as early as possible in the systems delivery lifecycle. One way of doing this is by involving security teams in the design stage of a process or a system. This will make security an integrated part of any process.  

Cloud is here to stay, traditional methods of security needs to evolve in line with technology advancements – knowing where your data is, who controls it and who has access to it, is critical. The quicker organisations are to improve their cloud security, the better they will be equipped to exploit opportunities in the digital world.

¹Source: Gartner February 2017 (www.gartner.com/newsroom)

Krishna Iyer | Director
Profile | +44 (0)7841 566415



Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Our #FinTech experts on Twitter