There’s an ongoing debate about when the term “cloud computing” first appeared. But there’s no debate about the cloud’s positive impact over the past decade. Whether discussing technology infrastructure, new data center needs, software as a service, disaster recovery, mobile app delivery or other aspects of future technology innovation, cloud computing is at the center of the conversation.
But security continues to top the list of cloud concerns. To prep for a recent online symposium on improving cloud security, I reviewed 2008 presentations from when I was Michigan’s CISO describing the good, the bad and the ugly in the cloud. Here were some of the bullets:
Good (promises): Lower costs, on-demand access and self-service, rapid provisioning and deprovisioning, minimal manual effort, ubiquitous network access, measured service. Bad (concerns): Loss of control, trust, security, data privacy (demonstrating compliance), resiliency, where’s my data? (meeting legal requirements), proving hosting claims and promises when not in your region — with no state employee travel allowed. Ugly (keeps me up at night): Below the cost threshold for procurement scrutiny, explosive growth/migration of service consumption and bandwidth, fewer eyes on service use, contract hell, vendor management skill sets lacking or nonexistent, paradigm shift for IT rate reimbursement models from agencies, how to block rogue cloud providers. Do these topics sound familiar? We still struggle with the same challenges that were identified when we drew our first cloud architecture on a whiteboard. Meanwhile, the online threat situation has worsened, with relentless cyberattacks continually moving the “secure” target for even the best cloud providers.
How can you address concerns and drive greater cloud adoption? How can we get to those cost-saving and service delivery benefits, while minimizing risk?
I offer five recommendations to reduce your risk of data loss in the cloud.
1. Perform an enterprise cloud risk assessment. This process is focused on your cloud applications and finding out where data is being stored. The goal? Develop an “as is” cloud assessment. What’s really happening now?
Survey the network to ID your SaaS footprint.
Build a data flow map. You’ll need tools to help, but you need to know where your data is going.
Risk score applications and data found. After you know where the data is, you can use tools to build a score of the level of trust in the cloud service and process.
2. Business requirements specification and gap analysis. This step maps what you know about business compliance needs (like PCI, HIPAA and tax data) with what’s actually happening on your network.
3. Build a plan to address “shadow IT.” This step pulls together data from steps one and two to obtain an action plan that brings strategic results. Include legal, procurement and security specialists. There are companies that can help you through this planning and remediation process.
4. Choose a cloud framework to implement. This recommendation is independent of the first three. Here are two options:
The Federal Risk and Management Accreditation Program (FedRAMP), which is based on security standards, including FISMA, NIST 800 and FIPS-199 and aims to build a catalog of prescreened cloud providers for government agencies. Learn more about FedRAMP. The U.K.’s Government G-Cloud framework offers another excellent approach, and the security principles are online. 5. Examine and implement cloud best practices.
The Cloud Security Alliance promotes the use of best practices for providing security assurance in cloud computing.
The Cloud Best Practices Network offers case studies and social media connections to help build enterprise solutions.
A final thought: Frederick the Great of Prussia once said, “He who defends everything defends nothing.”
We’ll never finish securing the entire cloud. (We’ll always have new online threats and vulnerabilities.) Your goal is to build resilience into your cloud situation and know what to do if an incident occurs with your data.