The advent of cloud computing has changed the dynamic landscape of IT. Companies are moving beyond the traditional on-premises converged model, to more dynamic, scalable and elastic IT resources. Organizations are quickly embracing cloud computing in order to reap its inherent benefits – reduced costs, flexibility, optimized resource utilization, on-demand self-service, shortened lifecycle of new business applications, improved mobility, and collaboration.
While the adoption of cloud computing is on the rise, perceived security risks are the single largest factor inhibiting adoption. 91 percent of organizations are very or moderately concerned about public cloud security. Data loss, leakage, privacy, and legal and regulatory compliance continue to top the list of cloud-related security concerns (‘Cloud Security: 2016 Spotlight Report’, Information Security Community on LinkedIn).
Many organizations partner with a managed services provider to implement the resources and security services required to protect their assets in the cloud, while others use security software from independent software vendors. While these approaches may help provide immediate security, organizations should develop long-term security strategies, as cloud computing is not going away anytime soon. In fact, Gartner predicts that “Through 2020, 95 percent of cloud security failures will be the customer’s fault”. Organizations should also be aware that they are held liable for any security breaches or incidents related to data leakage or sensitive data exposure.
When considering migrating to cloud, organizations should address the following:
- Vendor Lock-In: A good way to prevent vendor lock-in is to consider interoperability and portability. Interoperability facilitates the exchange of data between systems, and it enables components to work together to achieve the intended result. Portability determines the ability to move and reuse application components elsewhere, regardless of provider, platform, infrastructure, operating system, or format of data. A lack of visibility into the security controls implemented is one of the major factors affecting the selection of cloud providers. While most organizations choose providers that are able to ensure adequate security controls, many forget to assess the interoperability and portability aspects of their decision. Interoperability and portability allow for ease of data and application movement from one platform or service to another, or from one service provider to another.
An organization may choose to change service providers for a variety of reasons, including unacceptable decreases in service levels or performance degradation, increased costs at contract renewal time, unresolved disputes or bankruptcy. Regardless of the reasons for changing providers, organizations should assess the new provider’s interoperability and portability, and ensure that appropriate standards exist within the provider’s platform.
- Liability for Incidents: Even the most calculated implementation of preventive/detective security controls cannot completely eliminate the possibility of an attack on data. Cloud computing does not necessarily have to lead to a new conceptual framework for Incident Response, rather, organizations must ensure their existing IR programs map appropriately to the new environment, while putting forth extra effort to review and test documented programs, or develop them if they do not exist. Organizations should firmly understand their roles and responsibilities and the responsibilities of their provider, in the event of an incident. For instance, organizations must understand how their provider defines events of interest versus security incidents, and what gets reported to them. Your contract with a cloud provider should state that they are to notify you of any breach, incident, investigation or legal action, and that you have the ability to control or make decisions in the event of a subpoena or similar action. Organizations must understand the type of support the provider will offer for incident analysis, especially the content and format of the information and the level of interaction expected with the provider’s incident response team. Organizations should identify the most relevant incident types and prepare strategies for the containment, eradication, and recovery after an incident. The organization should be assured that the provider can offer the necessary support to execute these strategies.
- Service Level Agreements (SLAs): An organization can ensure the two previously mentioned points are considered when migrating to a cloud system, by clearly outlining them in an SLA. When data is held in the cloud, the responsibility for securing the data typically remains with the collector or custodian of the data, in this case, the organization. When an organization relies on a 3rd party to host or process the data, the host of the data should remain liable for any loss, damage or misuse of the data. Most of the legal issues arising from storing and securing data in the cloud can be resolved with a detailed SLA. The SLA should clearly define roles, responsibilities, and expectations of all parties involved in the agreement. In the SLA, the minimum levels of service, security, controls, availability, communications, liability, support, and other crucial business elements should be stated and agreed upon by all parties. Organizations should carefully review, understand, and develop an exit plan for all SLAs. When relying on a 3rd party to process and secure data, organizations should pay attention to the SLA and ensure that all relevant stakeholders within the organization carefully review the SLA.