The impact of these of security breaches can be quite overwhelming: up to 80 million of Anthem’s customers had their personal information stolen; up to 60 million credit card numbers were stolen from Home Depot; 76 million households and 7 million small business customers of JP Morgan Chase had their contact information stolen; and Target estimates its data breach costs $162 million. All of these as a result of IT security breaches.
So is it really safe to put your IT computing out in the cloud?
Cloud security is in many ways no different than implementing good standard traditional IT security. As the Cloud Security Alliance (CSA) points out “Security controls in cloud computing are, for the most part, no different than security controls in any IT environment.” (Security Guidance for Critical Areas of Focus in Cloud Computing V3.0, p21). In fact, if you already operate a “tight IT ship,” then you are well positioned to operate securely in the cloud. Here are a couple of areas to keep in mind when discussing cloud security.
- Cloud security is part of the larger Governance-Risk-Compliance (GRC) framework.
One thing to fully realize is that cloud security is not an island. Implementing cloud security must be done within the context of corporate governance (how do we measure and report on cloud security) and enterprise risk management (what new risk does cloud computing bring, how it is mitigated, transferred, or reduced). Compliance to external regulations or internal audit policies need to be re-assessed for cloud based assets and translated into new cloud security techniques.
- You still need to manage the C-I-A principles of security.
In traditional IT security management, we apply the principles of confidentiality, integrity and availability (C-I-A). These fully apply to a cloud IT environment:
- Cloud Confidentiality: We need to ensure that data at rest (cloud storage) and data in flight (cloud transmission) are fully private and free from external eavesdropping or interception.
- Cloud Integrity: Once cloud data is retrieved, we need to ensure that the data is valid and has not been tampered with. We need to provide assurance that the data is real and if it was changed then we have ways to detect that change.
- Cloud Availability: Cloud data and resources need to be available when the consumer of that data or resource wants to use it. Timely access to cloud resources is critical to business operations. One implication of this in a cloud context is that we need to protect ourselves against a denial-of-service (DoS) attack.
As you can see the fundamental concepts and principles of IT security (or general business security for that matter) still apply. As mentioned above, if you run a tight ship, then you’ll be fine. However that’s a big “IF” for some organization. With an onsite data center, you might get away with cutting corners or implementing less than strict and proper security techniques. However, when working with cloud security that luxury goes out the window. With cloud security, you MUST implement strict and proper cloud security techniques and processes. If not, then we’ll be reading about you in the next news cycle. Stay tuned for the next cloud security blog. Over the next several blogs we will cover these topics, as well as other concerns, in greater detail.