Even with the widespread adoption of cloud by large organizations and governments, some still promote the idea that the cloud isn’t secure. Consider how many times a week you read an article or sit in a presentation that highlights cloud security as a barrier to adoption. Yet, how often do you hear about the actual risks with cloud?
The IT industry continues its never-ending debate over “security issues” in the cloud, when the conversation should really be about risk and risk mitigation. IT and cloud service providers should talk about how everyone understands what is being protected, the threat level and how enterprises can address it. Dealing in these fact-based terms can eliminate the security barrier and allow enterprises to fully embrace the cloud.
And there is data and expert advice that demonstrate it’s not about cloud security, but about risk:
- The 2013 Data Breach Investigations Report (DBIR) found that attacks against virtualization technology were not present in the breaches analyzed.
- An IDG survey concluded that 75 percent of organizations feel confident over their security of information assets in the cloud.
- The CIO of a leading financial organization said that his database administrator with credentials is his biggest risk, not cloud.
To address security concerns, enterprises need to focus on the risk their businesses are exposed to and develop plans to mitigate it. While this is easier said than done, it is not impossible as long as enterprises take an information-centric approach. This means, think about the data being protected at every step of the risk mitigation process. With this in mind, there are a few actionable steps that can get you started.
- Start with the business context: Assess what type of information is being handled within the business, who would be interested in obtaining it and how likely it is that they’ll succeed. Once that’s done, consider the appropriate security control options.
- Research the application: Be mindful that not all applications are designed to meet high security standards. For that purpose, develop protocols that protect them when they are stationed as well as when the data is in motion.
- Develop a data-centric governance plan: Evaluate who needs access to the data and virtual machines and limit it.
- Test the plan and test it again: Once the plan is implemented, be sure to test it repeatedly.
It is clear that the focus should no longer be on security but on risk and risk mitigation, as it is the foundation for security in the cloud. Taking into consideration your business goals and assets, the application, and developing a strong governance plan are key to mitigating risk. Taking these steps will free your organization from the burden of solving ‘security issues,’ allowing you to realize the advantages of the cloud.
