At first feared by CIOs and security professionals alike, cloud services are now mostly an excepted and often preferred method for delivering services and solutions to customers. Security professionals have generally been more resistant to taking the jump into the cloud for a number of justifiable reasons; however, when reasonable security requirements are integrated into the decision process for selecting and integrating cloud services then the cloud can provide security teams with both enhanced security and enhanced visibility when compared to traditional onsite implementations. Let’s examine why.
1. Fewer Vulnerabilities in Purpose-built Environments
When compared to the variety of systems and applications often managed by internal Information Technology (IT) teams, many cloud service providers specialize on a comparatively small number of service offerings which are typically run at scale to support multiple clients. Since Software as Service (SaaS) hardware, software, and infrastructure environments are generally built from the ground up to support a small set of applications many security vulnerabilities can be avoided since unneeded services, system interfaces are simply not built into the design. Additionally environments are typically better separated from other applications meaning that a compromise of one application would not improve an attacker’s chances of compromising other applications.
Whereas legacy internal applications may have started life as a tool designed to only be accessible when on a private network where much of the security emphasis may be based on who can access the private network, cloud applications which are designed to be Internet first tend to be more hardened from attacks since it is expected that hackers and others will be constantly probing for holes.
2. Better Security Capabilities with Scale
When compared to the average small or medium-sized company, larger SaaS providers who can share security costs over multiple customers may have an easier time affording top-tier security talent and tools. They can also gain valuable intelligence from observing and responding to attacks launched against their other clients which can then be used to better defend clients who have not yet been attacked. Look for service providers who participate in security intelligence sharing with larger communities or sectors to assure that they also maintain an awareness of what attacks are being seen elsewhere.
The rapid scalability features offered by most cloud providers can be one of most effective tools against Denial of Service attacks. Ensure that your agreements with providers cover incident response for denial of service including how you will be charged if utilization spikes due to attacks.
3. Allows Focus on the Data and Business Processes
Out of necessity most typical efforts and resources are spent focusing on monitoring and securing inf r a s t r uct ure when in fact it is the security of the data about which we are typically concerned. Moving to SaaS and cloud service can free security resources to start focusing on questions that are more in line with business objectives like: who is accessing or attempting to access what data, and are they authorized to do so.
4. May Provide Alternatives to Common Risky Practices
When formal IT security efforts are seen as obtrusive or inconvenient, end users or sometimes even whole business units, will often attempt to find a more convenient to get the job done. Unfortunately without the proper support from the CIO the alternatives at best create Shadow IT challenges where the IT organization is expected to support unintegrated solutions, often without adequate resources, or at worst it can create serious security vulnerabilities putting sensitive data at risk. Mobility, file sharing, remote access, cloud storage, and email rank high the list of desired capabilities that users can easily acquire outside of typical CIO control. CIOs who act first to give users the capabilities and features that they are demanding before they take matters into their own hands can assure that security requirements and CIO oversight are key components of cloud services in use by the organization.
5. Service Level Agreements to Assure Action
Correctly written Service Level Agreements (SLAs) with service providers lead to responsiveness to security needs that may exceed that are found when dealing with internal organizations. For example, expectations and accountability for patching and dealing with other security vulnerabilities should be firmly documented and measured. When the service provider falls short the SLA, the CIO has a forceful tool to mandate action of the service provider if they want to avoid penalties. Ensure that your SLAs hold the service provider responsible for security shortcomings and give you the correct visibility and metrics to track compliance.
Above all else when considering cloud services ensure that regardless of where your data is that you maintain visibility over both the data and who is accessing it. This should include possible access by service provider personnel. Strengthen authentication methods to and ensure that monitoring suspicious account activity is performed continuously. Ensure that incident response efforts can collect the right information to determine the sequence of events and understand the business impact.
Cloud services will not always be better, cheaper, or more security than traditional on-premises IT efforts; however, when security requirements are included in the decision criteria the cloud can become a powerful tool for improving organizational security efforts.