Cloud Computing Security

Top Tips: How to move to the cloud securely

27-10-2014-bob-west-chief-trust-officer-ciphercloudBob West is Chief Trust Officer at CipherCloud, the leader in cloud visibility and data protection, and has spent over a decade in security leadership roles with financial and professional services organisations where he oversaw security strategy, audit and compliance and across global teams. He has held Chief Information Security Officer roles at Fifth Third Bank and Bank One, led Ernst & Young’s security practice, and was a Senior Systems Officer with Citicorp. He most recently served as founder and CEO of Echelon One, a fast growing risk consulting firm.

Bob shares his top tips on the steps users should take if they are using the cloud and how they can ensure their data is protected. 

Cloud computing brings a host of financial and business benefits and also risks such as cyber criminals targeting the cloud to steal corporate data. As a result, moving a company’s sensitive data to a third party cloud complicates the risk landscape. Because corporate information is of enormous value to a criminal, cloud defence is a business imperative. 

If an organisation handles customer data, committing to the cloud is anything but a simple decision. Moving data into the hands of third party cloud providers is something not to be taken lightly.

Organisations need to understand exactly what information protection measures must be taken to protect information in the cloud – especially during a time when public cloud environments continues to evolve quickly.

Here are five tips that will allow organisations to move to the cloud securely.

Adopt a lifecycle approach for cloud visibility and data protection – discover, protect, monitor - In order to build a comprehensive cloud security strategy, enterprises need to have visibility into their extended boundaries, which includes both the on premises network as well as the growing number of cloud applications used by the technology group and employees.  

A logical starting point is to discover all the clouds in use and assess the risk of each application. Comprehensive cloud visibility uncovers shadow IT and unsanctioned, cloud applications that employees might have downloaded without notifying IT. This insight can yield several benefits from purging risky apps to trimming technology costs. A recent report by 451 Research estimated that 79% of employees use shadow IT applications.

Additionally, identifying all the cloud applications in use and the types of data they hold helps information security teams map the appropriate security controls to the cloud. Examples of these controls include searchable strong encryption (SSE), key management, tokenisation integrated with data loss prevention (DLP) for policy setting proactively guard against unauthorised access.

Finally, continuously monitor activities to detect and flag user anomalies for data. For instance, if a London-based employee logged out of an application from an office IP address and five minutes later logged in from an Iranian IP address, this may indicate a breach in the system that could put valuable data at risk.

Understand the extent of cloud applications in the extended enterprise AND the data they store - The two most important benefits the above lifecycle approach brings are: insight into all the cloud applications in your enterprise and visibility into the data moving to those applications.

Cloud visibility helps organisations locate, identify and risk score the applications. With that intelligence, the foundation for understanding the cloud environment is created. In parallel, organisations need to take stock of the types of data being used, such as credit card numbers, personally identifiable information, healthcare records or research for future products – that are going to the cloud. Combining this level of cloud and data insight provides a stronger basis for taking the appropriate action to protect the enterprise.

As the recent retail breaches demonstrate, enterprises that fail to protect sensitive data need to inform their customers when security breaches occur. Most privacy regulations will require notification, which can damage a company’s brand and reputation.

Know what regulations you need to comply with to operate in the geographies where business is conducted - The growth of the cloud has made companies more sensitive to privacy regulations, with governments and standards bodies strengthening data privacy mandates around the world. From the Information Commissioner’s Office (ICO) in the UK to Payment Card Industry (PCI) standards for retailers, a major regulatory compliance trend is the updating of rules by regulators to clarify responsibility for protecting customer information in the cloud and strengthening the requirements.

Guidance from the UK’s ICO, the EU Privacy Directives, PCI and the Australian Privacy Amendment all state that cloud customers are now responsible for protecting their data and will incur financial penalties in the event of a breach if their data is inadequately protected. Compounded with the NSA revelations, government surveillance and data privacy have moved into the spotlight, increasing pressure on businesses to do everything they can to protect their data wherever it is stored.

Understand contractual agreements with cloud providers and determine what they are responsible for - Established cloud providers do their part in securing their environments by offering a broad range of security services. To complement this, a cloud provider’s controls should be paired with data protection tools like encryption and tokenization. These tools add a complementary protection layer in case of a password or network compromise. At the end of the day, stronger protection benefits cloud customers. Should a breach occur, the customer will be held responsible for the loss of their data.

Revisit the cloud environment regularly to ensure it continues to be relevant to the business and technology environment - Now that your enterprise’s cloud visibility and data security strategy is in force, keep it up to date. Regulations change over time, particularly when it comes to the cloud where disruptive technologies create new concerns to which the laws then adapt. It’s vital you stay on top of regulatory changes because pleading ignorance of compliance changes isn’t an acceptable defence for violations.

Complement cloud security controls by unifying visibility for all cloud data. Tools such as data discovery and anomaly detection will impart deeper intelligence into the types of data that employees are moving into the cloud and flag potential misuse. The insight these tools shed will help you match the different types of data with the security controls required to protect them in the cloud.

Ongoing employee education

Data breaches are continuing to increase in size and frequency. The recent string of high profile breaches has underscored the need for an effective cloud information protection strategy.

There are no silver bullets for protecting information in the cloud, but what technology and information security teams can do is take a lifecycle approach that can work in tandem with the unavoidable patches and software updates. The best protection strategy enables enterprises to extend their security, privacy and compliance needs into the cloud.

Managing human behaviour is another important objective for an enterprise that is moving to the cloud. Help all employees understand what they need to do to protect information as related to their job functions. While it’s important to have the right technology tools, an organisation needs a combination of people, processes and tools. This will help them minimize the risk of their information being compromised and, as a consequence, have fewer security incidents.


« Insider fraud: The risks posed by call centre employees


London Tech Week: The Maker Revolution? »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?