Move Securely to the Cloud: Gain the Advantages - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

09:30 AM
Steven Weil, Security Director, Point B
Steven Weil, Security Director, Point B

Move Securely to the Cloud: Gain the Advantages

Organizations can reap the full benefits of the cloud and avoid potential security risks by following four fundamental steps.

Across the world, organizations are adopting cloud-based services to gain the benefits of rapid deployment, scalability, and cost savings. Yet security worries still prevent many organizations from moving their sensitive data and business functions to the cloud. With cybersecurity breaches on the rise, executives and boards of directors are increasingly concerned about protecting their organizations' data and information systems, whether they are in or out of the cloud. C-suite executives are demanding rigorous due diligence and greater security controls—and wondering if it's enough.

The hesitation to fully embrace the cloud is perpetuated by two common but conflicting myths about its security: one, that the cloud is secure by default; and two, that the cloud can never be secure enough for sensitive data and information systems. The reality is that, with proper planning and controls, the cloud can be secure enough for even sensitive data and information systems. 

How can your organization reap the full benefits of the cloud and avoid potential security risks? By following four fundamental steps:

Establish clear controls and responsibilities

Who's in charge of your data security? It's essential to identify and clearly define which security controls are managed by your cloud-service providers (CSPs), and which are your organization's responsibility. Organizations should never rely solely on their CSPs to secure their data and information systems. Ultimately, your organization is responsible for securing these valuable assets, wherever they reside. 

Because the dividing line between a CSP's cybersecurity responsibilities and those of an organization can be fuzzy, it's important to formally discuss and document these responsibilities with a CSP before signing a contract with them. Verify any assumptions about how a CSP will protect your organization's data and information systems.

Many CSPs, such as Amazon Web Services, have a "shared responsibility model" for security controls. With this model, the CSP takes responsibility for securing the cloud Infrastructure while the customer is responsible for securing the applications and data hosted on that infrastructure. If shared responsibility seems appropriate for your organization, look for CSPs that have formally documented this model. You want to choose a mature organization that clearly understands its security responsibilities.

Encrypt all data being sent and stored

Making a secure move to the cloud includes ensuring that all data is sent encrypted when it's being uploaded to or downloaded from the cloud. Also be sure to strongly encrypt all sensitive data (e.g. medical information, financial data) stored in the cloud.  

Strictly limit who is allowed to decrypt sensitive data stored in the cloud. Never store decryption keys with encrypted data in the cloud. And do not share your cryptographic keys with your CSP – your organization should have sole control over them. Reduce your risk by documenting and implementing a formal cryptographic key management process that covers the generation of strong cryptographic keys together with their secure distribution and storage. 

Spell it out: Service-level agreements and contracts

A service-level agreement (SLA) can eliminate gray areas by defining expected levels of service for a CSP along with the consequences (such as a customer service credit) if such levels are not met. 

In addition to standard requirements, such as availability and performance, be sure to include cybersecurity-related items, such as the maximum time before a cybersecurity incident at a CSP must be reported. This sets a tone with the CSP and lets them know your organization takes cybersecurity seriously. 

Your contract with a CSP should clearly state the security controls and cybersecurity standards that the CSP must maintain (e.g., PCI DSS, HIPAA, FISMA)— along with your right to audit their compliance. It should state that your organization owns the data it has stored with the CSP, and that you have the right to get the data back. It should also give your organization the right to stop using the CSP if it does not meet the requirements of your contract or SLA.

Go with an audit-proven CSP

Choose a CSP that regularly has independent third-party assessments of their cybersecurity practices. Third party assessments are usually more rigorous and meaningful than self-assessments. Depending on the nature of your business, good third-party assessments for CSPs include SSAE16, PCI DSS, FedRAMP and CSA STAR.  Whenever possible, ask to see the full assessment reports; they contain much useful information about CSP cybersecurity practices.

In the end, the cloud is as secure as your organization and your CSPs make it—together. Choose a mature CSP that has gone through independent audits. Insist on detailed contracts and SLAs. Encrypt your data. And establish clear internal controls and responsibilities.  These essential steps will enable your organization to move to the cloud with confidence.  

Steven Weil is security director at Point B, Point B, an integrated management consulting, venture investment, and real estate development firm.  Over the past 20 years, he has provided a wide variety of cybersecurity services to hospitals, universities, state government agencies, cities and large companies throughout the United States.

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll