Is security an inhibitor to cloud?

There have been any number of surveys produced in recent years which state that security is an inhibitor, even the greatest barrier, to the take up of cloud services. Yet, many of the same surveys show high levels of adoption, apparently despite perceived security issues.

In fact, for many, cloud computing is just another technology delivery mechanism. It offers cost savings, flexibility and scalability and allows organisations to better embrace mobility, which is something no organisation can afford to ignore. Very few employees today do not have at least one smart mobile device with them at all times and many prefer that device over all others at their disposal.

For many organisations, the use of cloud computing models and mobile devices is not only an option, it is seen as an imperative. A growing number are opting for a cloud first and mobile first strategy over traditional methods of deploying technologies in-house.

So how about security concerns? The most often cited concerns centre around data security, yet the vast majority of breaches of sensitive data are from internal systems. Sure, there have been breaches of data from the cloud, but most providers are in the position to move quickly to fix issues – often far quicker than an IT department can – and to push those fixes out to all users simultaneously. Having said that, as cloud usage increases, there will probably be more vulnerabilities uncovered and exploited.

To gain the benefits offered by cloud computing – and, by extension, mobile devices since cloud applications are ideally suited for mobile access – security for the cloud should be considered as an extension of that for the internal network. The same policies apply.

Access to sensitive data needs to be tightly controlled wherever that data is. Context is important for all access decisions, with risks carefully weighed. Where a user is attempting to access sensitive data, especially from an insecure location such as a Wi-Fi hotspot, access can be curtailed or stronger forms of authentication required. With mobile phones, this is becoming an increasingly viable and cost-effective option since they can be used as the authentication mechanism. With cloud applications and services ideal for mobile access, this can help to allay many concerns.

Some are still concerned about those outside of the organisation inappropriately accessing data. Most cloud providers will have stringent access control policies for their employees, especially around privileged access that can allay many of those fears. Combined with encryption of all data in transit to the cloud or at rest in storage, data in the cloud can be kept safe from prying eyes. But a caveat is that the encryption keys should remain in the hands of the customer, not the service provider. This will prevent data from falling into the hands of, for example, certain government agencies that are overly keen on blanket surveillance.

This will also reduce concerns over data jurisdiction regarding where data is held. If it is encrypted effectively, those concerns are reduced dramatically. Some countries demand that data be held within their borders – and those demands are likely to increase when new European data protection regulations come into force – but the majority of the large cloud providers, at least, are opening local data centres that cater to these demands.

Another argument in favour of the cloud is that cloud service providers face stringent standards with regard to security and are regularly audited by independent parties. Many cloud providers adhere to the SSAE 16 reporting standard that is specifically designed to govern service providers, which enforces high levels of security, covering both physical and information security controls. Among the security benefits are that the cloud provider will be constantly monitoring systems, which is something that many organisations struggle to do for their own networks.

But, even so, organisations must retain responsibility for security and must ensure that they have strict policies and stringent controls in place, especially around access controls. The onus is on them to check that a cloud provider adheres to security standards and policies and that these are laid out in service agreements, including controls for data access, as well as securely storing and deleting data. They should also ensure that controls are in place for preventing vulnerabilities from being exploited and for controlling malware infections.

With the right policies and procedures in place, the cloud need not be the ‘wild west’ that it is sometimes made out to be. The cloud is just another technology delivery mechanism and one that offers many benefits. Those that do not embrace cloud computing models risk not only being left behind, but might even be placing themselves at greater risk that those that prefer to eschew its use. If organisations do not provide cloud applications and services options for their employees, they will sign up for services themselves without their knowledge.

This is especially true with cloud applications such as file sharing services. Not providing a cloud option to employees could lead to sensitive corporate data being placed in the cloud that the organisation does not know about.

Cloud computing is an unstoppable force – as is mobile usage. Even those organisations that remain unconvinced about placing their most sensitive information in the cloud will find some use for public cloud services. Security should be taken seriously and be part of all decisions, but it should no longer be seen as the greatest inhibitor.