Despite the popularity of the cloud and the momentum of many organizations making the shift from on-premise computing to cloud platforms, many are still concerned about cloud security. It makes sense; there is something disconcerting about how intangible the cloud is compared to having your own servers on site where you can see and touch them. “Your” cloud is being shared by other people; what if even one of them is a “bad actor”?
These fears have an impact on cloud adoption and cloud computing only accounts for about 10 percent of the hosting industry. But just because the cloud is out of your control and not under your roof doesn’t mean it’s completely out of your control. Having confidence in the security of one's cloud is paramount to an enterprise feeling in control again and trusting that the cloud is safe. But organizations need to take the first step by doing their due diligence before selecting their cloud vendor.
It might sound too simple, but the best way to feel more comfortable with using the cloud is to do your own research on whichever vendor you choose to use.
As Brian Castagna, Senior Director of Information Security at Acquia, told CIO Review in August, when you are looking to switch to the cloud, you first need to “make sure your security team is integrated with the business early in the procurement cycle. Get third-party audit reporting from the cloud provider, such as SSAE 16, SOC 2, and PCI DSS." Brian also expressed the vital importance of getting to know the security team at your chosen cloud provider, including visiting them in person.
Evaluating Security Compliance and Security Services
While there are many aspects of cloud security to consider when deciding whether to move to the cloud via a third-party vendor, two key areas to look closely at are security compliance (conformance with laws and regulations) and security services (software).
Security compliance is a series of controls and remediations dictated by different industries -- from ecommerce to health care -- including the government. It’s important to know when considering the move to the cloud, what information will you be storing? And does that data contain personally identifiable information (PII)? Different data in different industries requires different levels of security and compliance.
For example, if you’re a health care organization or doing work for one, not only do you have to be HIPAA compliant, so does your cloud vendor. If you’re a government agency, then you’d most likely look for vendors who have an “authority to operate” or ATO, from FedRAMP. For consumer goods or any organization with a commerce business where credit card transactions take place on your cloud hosted site, you’d want to make sure that your cloud vendor has Payment Card Industry Data Security Standard (PCI DSS) in place.
Many of these aren’t just guidance or best practices; some security requirements like HIPAA are actual laws.
When you’re storing any kind of PII in the cloud, you need to prevent hackers accessing it. This means you need to look for a vendor that has encryption in place.
However, encryption is but one step of many in a modern security process. In addition to implementing encryption, it is important to identify and close vulnerabilities in the application and the underlying platform. When setting up encryption, there are a number of considerations: Is it only encrypted when I store it or is it encrypted end to end?
Once you’ve reviewed compliance audits and encryption, even the most secure cloud needs Intrusion detection. This means anti-virus software and application firewalls to alert the security team to threats and contain them and place a barrier between hackers and your site. It’s not just a single instance but per every instance for a cloud implementation.
Every layer of the infrastructure needs to be secured, preventing access to load balancers and guarding against common tactics like SQL injections. All layers have vulnerabilities that require penetration testing to ensure security.
