Skip to main content

Reducing Risk in the Cloud: What You Should be Thinking About

May 14, 2014

A few years ago, companies were starting to explore what the cloud was, what it could do, and how it could save them money. Today, companies are adopting cloud computing faster than ever. Developers love having the ability to enter a credit card number and be up and running on an application or program in minutes – without having to wait for IT to provide the software or hardware they may need.

However, this on-demand access provides its own challenges. Now that anyone can spin up a private cloud (for development or production), the process of deploying a tangible application is outpacing the implementation of security controls, and increasing risk for your organization. The sheer speed at which someone can build an application in the cloud and generate volumes of data is incredible. The same goes for companies who use software as a service to protect their data. This is why it is so important to implement the same controls in the cloud that you would in your own data center.

Organizations are looking for equal (or better) controls, visibility, and protection in the cloud as their traditional network. But the biggest challenge is understanding what is out there to help mirror, or enhance the security posture in the cloud since the approach is different. The entire cloud landscape doesn’t fit the traditional mold of data center security, and requires out-of-the-box thinking on how it should be implemented. Some simple questions to ask at any stage of cloud deployment are:

• What is the worst that could happen if my application or its data is lost or stolen?
• What applications or data should I move to the cloud (it doesn’t always make sense to move everything)?
• What is our organization responsible for in the cloud?
• What is the cloud/service provider responsible for?
• How can our organization mitigate risks in the cloud?

If you move your applications to the cloud and they contain sensitive data or must be in compliance with regulations, look for options that allow you to secure the data. There are products that will enable you to encrypt your data stored with the cloud vendor or leave the data on premise, to prevent it from being copied or stolen if the cloud provider were to have a security breach.

 

It is also critical to place controls on the cloud services since their accessibility makes them an easy target. You need to know who is doing what, when they are doing it, and where they are doing it from in order to control the environment (i.e. Susie lives in San Francisco but was just accessing the corporate Box account from China). There are products that can simplify provisioning of user accounts and allow you to better audit who has access to what, using federated access control. You can also setup API proxies that can watch/block/allow all calls being made to your cloud provider or session recordings to replay what an admin (think Snowden) or developer was doing at a time in question.

Lastly, you should automate as much as you can. With the advancements in cloud automation and provisioning, there are numerous opportunities to add security to the process. I would argue there should be very few excuses for not baking security into a solution. Once you automate the security processes into your automation center, security becomes more efficient and predictable and also increases time to deployment and reduces human error.

Following these guidelines can help to reduce your risk in the cloud.


    Shawn Mall

By: Shawn Mall

Enterprise Architect

See More

Related Blogs

May 24, 2018

Transforming Logs and Alerts into Actionable Intelligence with UEBA Functionality

For information security practitioners, the stored value in security data can reduce both costs and risk. The progression of the treatment of log data...

See Details

January 31, 2018

Cloud Critical Controls

It’s no secret – organizations are moving to the cloud faster than their security teams can secure them. The daunting task of catching up to the secur...

See Details

December 23, 2013

Are You On Cloud Nine Yet?

CIOs and CTOs looking to reduce costs, drive innovation and maintain a strategic advantage over their competitors can’t afford to overlook the cloud. ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

June 16, 2016

Cloud Security Services

Movement to the cloud is a necessity for organizations. Learn how Optiv’s comprehensive suite of cloud solutions can help you get there securely.

See Details

November 16, 2010

Is Cloud Computing a Security Concern | Optiv

Before cloud computing had even gotten off the ground, people were talking about the security implications of computing in the cloud. When you step do...

See Details

February 04, 2014

Internet Security Questions for the Cloud Provider | Optiv

When considering a move to the cloud, there are a number of security questions that should be considered as you select a potential cloud provider. Alm...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.