Four steps to cloud security for business

Business cloud services can provide access to data and applications at all times from any location, bringing great commercial benefits.

But does this mean cloud security considerations can lag behind?

Three of the most profitable and valuable companies in the world – Amazon, Microsoft and Google – all operate in the cloud sector. For the largest of these, Amazon, their business cloud services platform – AWS (Amazon Web Services) – delivers their greatest growth and now accounts for over half of Amazon’s revenue. Similar stories pervade at Microsoft, with the growth of Microsoft Azure and Office 365, with over 31 million paying subscribers and growing exponentially.

On average we will find in excess of 1,000 cloud applications in use across a medium- sized business, with many employees using at least 30 applications per month, often sharing the same password across multiple applications and users.

The work place is no longer a place

People work differently today, expecting to work from any place, at any time and on any device, sharing information and collaborating in real time and accessing and sharing sensitive data in the process in order to get the job done.

Remote access to data – yesterday and today

In the past, access to data was controlled mostly by IT and stored inside a protected perimeter. Remote access to the data was permission-based and almost always through a VPN. Threats were focused on the network and endpoint. With a defined perimeter, IT was able to tightly control access to data and assess the risk.

Fast forward to today… with over 50% of access to business applications happening off network, remote access is expected and visibility into these applications is limited. The focus in many businesses is on speed to market, collaboration, sharing and business enablement, with security considerations often lagging behind.

Security – a shared responsibility

While many of the major cloud service providers, such as Amazon, Microsoft and Google, throw huge amounts of resources and money on cloud security – it is the customer that is responsible for securing their data in the cloud environment, for ensuring compliance of that data and ultimately, it’s the customer who is liable for the financial and brand damage caused by any data security breaches. The cloud service provider protects the infrastructure; how you protect access to and control of the data inside the platform is your concern.

Responsibility throughout the organisation

Cloud security isn’t just an IT Problem, it concerns all levels of the C-Suite, from the CEO who is looking to drive innovation, the CFO (Chief Financial Officer) who is trying to control costs and utilise resources efficiently, the DPO (Data Protection Officer) or General Counsel who is concerned about compliance and regulations such as GDPR, PCI or the FCA, as well as understanding what Intellectual Property the company needs to protect, through to the CMO (Chief Marketing Officer) who is concerned about protecting the brand, the CIO (Chief Information Officer) who is trying deliver a platform to keep pace with innovation and finally, the CISO (Chief Information Security Officer) who needs to remain compliant.

Four steps to cloud security

To understand what you are really up against when it comes to cloud security, it is important to undertake a Cloud Risk Assessment for a 360-degree view of your business’s cloud presence across both your sanctioned and unsanctioned applications.

This will enable you to identify threats to your data security, make sure you’re compliant with industry regulations and identify compromised accounts and malware infections.

You can incorporate this Risk Assessment in a four-step process, closely aligned to Gartner’s 4 pillars of Cloud Security, to become cloud confident:

• Discovery: identify the true costs and risks you face – including unsanctioned and shadow IT that will compromise security, harm your reputation and impact on profits.
• Awareness: create the right cloud access, usage and security policies – and educate your people on the threats faced, raising awareness and changing behaviour.
• Control: police and enforce your cloud access and security policies; monitoring, management and alerts to take action quickly and ensure regulatory compliance.
• Confidence: ongoing scrutiny and regular refresh of your cloud access, security and data protection policies through a cost-effective managed service.

Summary

The Cloud provides business with many well documented advantages, ranging from cost reduction to increased agility and productivity. This enables businesses of all sizes to be competitive by providing enterprise technology for everyone. For most businesses, it is already an important part of their day-to-day operations, and it is estimated that over 90% of businesses are already adopting the Cloud in one form or another.

This could be for basic email services such as Gmail or Office 365, document storage such as Dropbox, online accounting and expenses such as Xero, right the way through to complex HR and CRM systems such as Workday and Salesforce.

However, with the many advantages offered through cloud adoption, it is important businesses are aware of the associated risks and take steps to control or mitigate these risks where appropriate.

Paul Richards CCSP

Director of Technology

EveryCloud Security

www.everycloud.co.uk

See also:

• Our archive of articles on Information Security 
• What is phishing and how does it work?
• Combating digital threats with open source investigation