The importance and ownership of cloud security education
With rising adoption of cloud deployments, users, IT managers and stakeholders will need to be better educated on cloud security standards and best practices.By Goutama Bachtiar 28 Dec, 2012
In cloud computing, one of the bigger concerns among users and IT managers is security. It encompasses these fundamental aspects: authorization (who is allowed to access), authentication (what level of access does someone has), data integrity, and services availability.
Furthermore, cloud security will refer to a set of controls, compliances, policies and technologies in regards to securing the data, applications, and infrastructure.
So let’s dig in for more.
From a supply and demand perspective, the providers (infrastructure, software or platform) are expected by their users to provide for security measures. For instance, enterprise-grade cloud applications frequently utilize server virtualization, which introduces an additional layer that must be configured, managed and secured in the appropriate way.
Risk arises when data from one segment in a server escapes into another segment, which in return makes one’s data backup strategy and recoverability extremely important. Backups should be frequent and reliable. Virtualization software – widely known as the “hypervisor” – should be able to deal with this risk.
In short, securing infrastructure and protecting the user’s data and applications, are among the provider’s main duties. Meanwhile, making sure that the vendor has taken necessary security measures properly in order to protect the aforementioned vital components, is the client’s primary task in terms of security.
Addressing user’s concerns and expectations
Institutions and companies of various types and sizes will usually have deep concerns about loss of control in cloud computing. Yet, as security concerns are among the major factors limiting greater adoption, this simply encourages users to better scrutinize terms and conditions, liability provisions, process transparency, indemnification, and exit strategies as very crucial aspects of cloud service.
Because systems and human resources are under third-party providers, and not managed by the customers directly, users tend to rely on contracts for better security enforcement.
Meanwhile, for private clouds, these deployments offer the core cloud benefits with greater customization, control and restricted access. In this case, users expect tighter security requirements, whilst IT managers will usually find the need to better explore how to better integrate cloud services with applications stored on-premises.
Educating users – who is doing it?
The number of companies, institutions and organizations that are deploying cloud computing is growing rapidly. Thus, as respective providers enhance their features and services, there is the need to build confidence that next-generation platforms can provide a higher level of security assurance.
Three years ago, the Cloud Security Alliance (CSA) was formed to provide information and standards, conduct research on cloud computing best practices, and engage in educational activities about cloud security, with 31 chapters worldwide, 10 of which in Asia Pacific region. They introduced the first certification on cloud computing security, CSA’s Certificate of Cloud Security Knowledge (CCSK) and will be offering CCSK, PCI Cloud, and GRC stack training.
Regardless what the above organization has been trying to do thus far, most importantly, educating employees on the importance of security is the preliminary step for both vendor and customers need to take security seriously to ensure sustained awareness.
The next big thing
Best practices, policies and standards on cloud security are just emerging. Audits are important, and standards (such as ISO 27001 or SAS 70) are necessary to ensure compliance.
Another thing that users and IT managers should implement is improving IT risk management by classifying data based on its sensitivity and then ranking these from highly critical to the less critical. Assess carefully and comprehensively where data should reside, which protection methods will be needed moving forward, and how long data needs to remain in the secure location. Consider the business value against business risk.
For enterprises or companies that already have a Risk Management committee, internal or external auditors should incorporate cloud security risk assessment into their processes, and give the recommendation based on results across the entire organization.
Always prepare an exit strategy
Despite downtime due to outages, upgrades and maintenance, users will always rely heavily on cloud providers’ living up to their service level agreements (SLA). But having a Business Continuity Plan (BCP) and Disaster Recovery Procedure (DRP) will be an absolute necessity, particularly to protect your organization in the event that the provider fails to provide expected services as promised, goes out of business, or even merges with another company.
Image credits: ComputerWeekly