Consider when you’re driving on a road that has both a minimum speed as well as a maximum limit -- no single, rigid speed limit ensures safety because of changing traffic volumes. Now think, if those roads had only a maximum speed posted, it could reduce accidents, but it would unequivocally impair efficiency of traffic flow.
This conundrum of risk can be directly applied to cloud computing -- either businesses take the calculated risk and improve the journey to an application or network service provider location or they may suffer from inefficient “transportation to the destination.”
Defining Cloud Risk
In a recent Gartner survey of senior executives about risk, audit, finance, and compliance, cloud computing was identified as the top concern. Afterall, moving to the cloud means ingrained business processes have to change, which introduces new risks and associated costs that weren’t present with on-prem.
But there can’t just be a sweeping notion that cloud computing is risky -- so stay away! Instead, executives clearly defined what makes them cloud-shy, including information security threats like social engineering and GDPR compliance breaches.
Cloud Security: The Enduring Barrier That Shouldn’t Be
Value of cloud computing almost always outweighs the risks. If you want better operational efficiency, the agility to respond to market changes, or lower operational costs -- you probably need cloud. Despite this knowledge, enterprises continue to feel wary of cloud architectures even though their on-premises solutions are accompanied by an exposure to risk and other vulnerabilities. And between us, in some cases far less secure than many cloud providers today.
Let’s review three areas of vulnerabilities:
Technical - Data leakage, DDoS, insider threats, etc.
Policy and Organizational - Vendor lock-in, compliance, reputation, etc.
Legal - Data protection risks, licensing risks, e-discovery, etc.
Now, are we talking about risks for cloud or on-prem? If you’re not sure, it’s probably because vulnerabilities aren’t always unique to one environment or another, rather, the need for process change and security planning.
Fear Default Configuration and Patch Management Issues Instead
It’s time to rethink the concept that cloud is riskier than on-prem and begin to embrace the defense in depth strategies that facilitate safe cloud usage and its business benefits. While high-profile attacks like Meltdown and Spectre may be gasoline to the fear fire, it’s more likely that default configurations or patch management issues will be the downfall of cloud security.
After you shift your mindset, continue on to:
Uptime/Downtime and Disaster Recovery...by finding a strong cloud vendor and thoroughly reviewing contracts and service level agreements (SLAs). Then, follow up with Visibility-as-a-Service (VaaS) to ensure vendors are delivering on their promises.
Access...by using role-based access controls to ensure people access only what is needed and nothing else. Enforce rules around type of devices used and level of access based on OS version numbers, security indices, and apply multi-factor authentication.
Monitoring and Management...by assessing and reassessing security policies, performance, end-user experience and response time, safeguard changes and configuration management, log what users are doing on the network, secure connected endpoints, and more. The key to effective security is to know your environment, which can be achieved with SIEM/LOG, VaaS, Cloud Access Security Brokers (CASB), secure Web gateways (SWGs) and next-generation firewalls (NGFWs).
At the end of the day, no one is going to say that cloud doesn’t have risks. What’s dangerous is ignoring it instead of acknowledging vulnerabilities and enforcing security.
Here at Edgeworx, we complete Cloud Risk Assessments and we always tell our customers “what we find ain’t always pretty.” And it’s true -- some cloud-connected customers have data leaks they never knew about, others have rogue endpoints that have never been accounted for and use insecure hosting services to save corporate data (without knowing). The good news at the end of the day is that with the right partner, the cloud and its risks are always manageable.
If your company is blinded by fear of cloud risks or you don’t have the internal resources to handle a shift to cloud, our team of professionals is here to help you rethink and achieve cloud success. Read more in our blog: 5 Steps to Cloud Confidence.