Are organisations worrying too much about factors beyond their control and not paying enough attention to their existing IT security practices and potential security issues that may be sitting on their own doorstep?

Despite all of the anxiety about security, organisations embracing the Cloud often fail to properly evaluate their own internal IT security prior to deployments. Organisations should look closer to home when assessing who is responsible for securing sensitive data in the Cloud and how to go about it.

Some organisations project their own internal security weaknesses onto Cloud providers. When security is used as an excuse, it's often the case that IT departments want to avoid examining themselves. If you don’t have a grip on governance, risk management and regulatory compliance internally, then you’ll expose just how deficient your security is when you try to move to the Cloud.

First things first: Developing a comprehensive Cloud security plan

Even if many organisations lack the courage to scrutinise their own (possibly inadequate) security practices and standards, there are still plenty of valid Cloud security fears. Transferring the responsibility of protecting sensitive data to a third party is potentially terrifying, especially in an industry that has to comply with compliance regulations.

Moving to the Cloud still entails many unknowns, so formulating a comprehensive Cloud strategy is an absolute must. If you don’t have some sort of workable plan in place, how can you be prepared to adapt as conditions change?

A good place to start planning is by looking at the highest risk within your organisation.  More often than not, that’s your privileged users. They are able to access the most sensitive systems and data, and you can be sure that auditors will look at them closely.

Attackers are aware of this, which is why C-level executives are often targets of so-called ‘whaling attacks’, where the phisher focuses upon a very small group of ‘big fish’ within an organisation and tries to steal their credentials – usually through the installation of malware that provides back-door functionality and key logging.

Graham Taylor, Head of IT Security, UK and Asia Pacific, at recruitment company Michael Page International says: “Although C-level executives may have access to sensitive strategic information, they will probably not have access to systems that store data. We must not forget the IT team – technically savvy, but not always security aware. They tend to be early adopters and like to 'tinker' with their new toys and test new applications, all on devices that may have access to more valuable systems than the rest of the business.”

Resistance 

Privileged users, and your IT team, can also be the most difficult to secure, because they will often reject any security control they don’t like. Therefore, it’s not going to be easy to put a blanket ban on high-risk devices, such as smartphones or tablets. Instead of banning such devices, you can establish proper authentication, access control and identity enforcement to ensure that your privileged users are, at least, who they say they are.

Developing a plan to protect your most privileged users has the added benefit of helping to provide you with an overall Cloud security roadmap. Are remote-user risks a concern? Your most privileged users will probably require remote access. What about data loss protection? Your privileged users will have more rights to more data than anyone else. What about securing mobile devices? Your CEO probably has several of them.

Moving from internal controls to supplier evaluation

When you move from evaluating your internal organisational IT security to evaluating potential Cloud suppliers, don’t forget to investigate how far Cloud services might have already spread into your organisation. Has your sales director signed up for Salesforce.com? Are your project managers using collaboration tools? Has HR invested in talent management software?

Most name brand Cloud SaaS providers all have solid reputations, so getting those services to conform with your internal security controls shouldn’t be a problem. However you’ll want to vet questionable or lesser-known suppliers to make sure they have taken the time to properly secure their Cloud environments.

“Our research has shown that while Cloud adoption continues apace, CIOs are holding back from committing their most sensitive and important data to third party Cloud providers,” commented Simon Withers, head of product management & development, Cloud & managed services, for SunGard Availability Services. “While the newer breed of Cloud providers has focused on selling the benefits of Cloud, of which there are clearly many, organisations are right to be asking the crucial questions about the security and availability of their data and infrastructure before they entrust it to a third party. Demonstrating a reputation for having security, resilience and availability baked in to solutions will be key to imbuing CIOs with the confidence to continue to move their more critical infrastructure and applications to the Cloud. Businesses exploring the Cloud have to ask vendors tough questions, and be sure that when they put their data in the Cloud, they can get it back.”

Don't despair

Making the move to the Cloud is more manageable than most people think, especially if you move slowly and deliberately. First, map your organisation and understand who your users are and what they’re allowed to do.  Once your internal controls are in place, you can start shifting resources into a private Cloud.  Finally, as licenses expire and as upgrade cycles crop up, you’ll be in a position to knowledgeably and safely begin examining the public Cloud suppliers and work out who you can trust with your mission-critical data and resources.

When evaluating Cloud suppliers start with the basics and ask some key questions:  Can they explain governance for their infrastructure?  What policy standards apply and how do they enforce those policies?  If they don’t have good answers, or if they don’t seem to know what you’re talking about, then you should cross them off your list.  Focus on finding out how data will be managed and secured, and ask how potential suppliers can prove they’re doing everything they claim to be doing.
 
Internal Cloud security planning – 10 questions to ask
1. Have you carried out a rigorous review of your entire company-wide security infrastructure and usage policies?
2. How up to date are your access controls, including authentication and identity management?
3. Does your organisation have any data governance initiatives?
4. Have you started classifying data according to risks, so that you can determine what is safe to move to the Cloud?
5. Do you know how invested you already are in the Cloud?
6. How will your choice of Cloud deployment dictate required changes to security policies and procedures?
7. How will you convince auditors that your Cloud projects are as secure as your on-premise ones?
8. How do all the parties involved in doing Cloud development come to an agreement on de-provisioning users?
9. Do you have a comprehensive Cloud strategy and Cloud security plan that you can adapt and improvise as conditions change?
10. Does your Cloud strategy include a plan to protect your most privileged users?

Want to find out more about getting started with Cloud security?

Attend the 1st or 2nd Cloud Circle Security Conferences; ‘Practical due diligence to identify, evaluate and manage the security risks of Cloud Computing’.

The Cloud Circle’s 1-day conferences (taking place in London on 7th October and 2nd December 2011) will provide practical solutions for planning your transition to the Cloud, and implementing security as a key component of your Cloud strategy, rather than an afterthought of this transition. Benefit from the latest thought leadership on Cloud security best practice and the latest technology developments. Listen as the most common Cloud security myths are debunked. Hear tips on how to ensure that your suppliers are secure and compliant. You will also benefit from insights into some of the different security tools that organisations are already successfully deploying in the Cloud.

Email sophie.hardman@thecloudcircle.com for details.