Securing the cloud

With more than half a billion records of personally identifiable information (PII) stolen in 2014, the time has come for organizations to ask the question: how will you protect your information and data? The sophistication of cyber threats, attackers and motives are rapidly escalating and constantly changing. Today, the driving forces behind the majority of cyber threats include monetary gain, espionage, national security and political activism – with monetary gain representing 74 percent of attacks.

The first thing to remember when it comes to the subject of security is that we’re not in the business of securing the cloud, data center or endpoint. Rather, we’re in the business of securing data and information in the place in which it resides.

Organizations are increasingly turning to the cloud as a place to store data and information because it allows both flexibility and scalability. However, many still view cloud – and cloud vendors – with trepidation, pointing to security issues such as last year’s iCloud breach that leaked nude celebrity photos and consequently dominated more than a few salacious headlines in 2014. While the cloud is a suitable strategy for protecting the burgeoning accumulation of mobile data, it’s also a perfect conduit for allowing hackers to serve up malware and launch attacks. The consequences can reach beyond the borders of an enterprise to compromise customer data.

So what exactly is cloud security and what can it do?

Cloud security is a set of policies, technologies and controls designed to protect data and infrastructure, and enable regulatory compliance using layered technologies that create a durable security net or grid. The main goal here is to provide protection via whichever delivery model – private, public or hybrid cloud environments – an organization chooses to deploy.

However, the cloud is not a one-size-fits-all solution that can protect all IT assets. Organizations can no longer rely on firewalls as a single point of control, and security practices must expand beyond the data center to include key control points for endpoints accessing the cloud and edge systems. One option to consider is the AWS (Amazon Web Services) environment, whereby the AWS Shared Security Model is responsible for securing the underlying infrastructure that supports the cloud, while the organization is then responsible for anything that is put on the cloud or connected to the cloud. This shared security responsibility model can reduce operational burdens and improve default security posture without additional action on the organization’s part.

A security profile in the cloud is defined by what the organization needs, the systems that are moved within the cloud, and the way users will access data and applications. There are multiple steps that IT managers can take to mitigate security vulnerabilities, including encryption to protect data that rests or moves in the cloud; establishing and verifying identities; establishing trusted systems; and building higher assurance into compliance to stream auditing and increasing visibility into the cloud environment.

Encryption is the best practice to use for safeguarding any sensitive data that might be at risk of loss or physical control, and it’s critically important in cloud environments. Encrypting data is imperative wherever it is in the cloud: at rest, in process or in motion. This is especially important in hybrid or public cloud models where data may be stored or moved outside the traditional IT environment. However, encryption is also important in internal private clouds since data can be exposed on shared computer resources.

So, how do you choose the right cloud service provider?

It’s vital for an organization to clearly communicate its security needs, as well as spell out and verify what is required and what needs to be delivered. While organizations can delegate the operational issues related to their data, they cannot abdicate their responsibility to protect this data. It will always be the responsibility of the organization to select, design and implement proper services and monitor those services for compliance.

Gene Fredriksen

Gene Fredriksen

Gene Fredriksen is the CISO for PSCU. In this role he is responsible for the development information protection and technology risk programs for the company. Gene has over twenty five ... Web: Details