When it comes to the cloud, expansion is the only option and forward is the only way to go; its flexibility, on-demand capacity and just as important – its scalability means it’s seen as the ideal platform to support businesses. With such a range of benefits that cover everything from financial advantages to reducing the worry and issues involved in installing and maintaining hardware (which obviously keeps both the finance and IT teams content!) Entrusting all on to a cloud service provider that makes you the guarantee it will look after all areas – from performance and storage to email – is definitely a very tempting offer you won’t want to refuse.
Here are a few reasons why
The same kind of attacks that target on-premise data centre environments are transfering to the cloud – Attacks that are characteristic to on-premise centres, like malware, brute force attacks, and botnets for example, are also now zoning in on cloud environments. While the quantity of user applications that are moving to the cloud increases, so will the number of botnet and malware attacks.
The breadth and depth of attacks shows threat diversity in the cloud is on the rise – This year, the range of attacks which exist and are a threat to companies within the cloud has increased significantly, to rival that of on-premise data centres. Companies need to pay just as much attention to the sophistication of their security in the cloud, as they would ordinarily to protect their data.
The solutions classically relied upon to combat these threats aren’t sufficient – To be able to determine the efficiency of security solutions, such as anti-virus programmes, in major public clouds globally, new patterns of attacks and emerging threats were found through a honeypot project. Through this, a very interesting observation was made that was just as disturbing; of the malware collected 14% was considered to be undetectable by 51% of the world’s top anti-virus vendors.
There is some good news however – there is a lot that companies can do in order to protect themselves; first of all they need to be fully educated on what their business and applications need from a security and compliance point of view.
To be absolutely certain that the cloud provider is taking the security of your data seriously, you should ensure that the service provider can answer the following questions with confidence:
What is their data encryption strategy and how is it implemented?
Encryption is the most ideal method for protecting sensitive data; data is left unreadable to anybody who is unauthorised. It would be preferable for the cloud service provider to be knowledgeable in who exactly controls the keys and what standard of encryption is utilised.
What is the hypervisor and provider infrastructure patching schedule?
Like previously mentioned, exploits such as malware are on the rise, so it’s imperative that the provider patches and updates the infrastructure with frequency. This aims to minimise the threats to their customer’s data.
How do you isolate and safeguard my data from other customers?
A consequence of the huge capacities, providers (unless it has been otherwise specified) will house data for multiple companies. You should ask how they segment this data, and what controls they have in place to prevent the accidental sharing as well as how the controls are executed.
How is user access monitored, modified, and documented?
It’s important to be aware of who is accessing the data to prevent it being compromised. Separation of duties needs to be in place so that for example, the provider’s administrator doesn’t have total authority and control over your data. It’s necessary that the provider can give a concise and clear documentation and reporting.
What regulatory requirements does the provider subscribe to?
With several regulatory controls that a provider can stick to, they can show best practice and compliance. If a provider sticks to industry standards, then it’s a great sign that they take the integrity and security of your data seriously.
What is the provider’s back-up and disaster recovery strategy?
Ask about what the track record is in availability and make sure that there is transparency to its infrastructure. Ensure that boundaries have been properly defined so that everyone knows their responsibility; it may be that you are entirely responsible for the backup of your own data.
What visibility will the provider offer your organisation into security processes and events affecting your data from both front and back-end of your instance?
This is a vital part to security strategy, especially from a forensic and audit stand point. In the event of an incident occurring and needing to be investigated, you must be aware of every piece of information that’s available in order to figure out just how and why it occurred, but more importantly – how the action was solved immediately. Therefore, your cloud service provider should be able to tell you about how it follows this process and how you are kept alerted in such situations.
These are only a small sample of questions you might want to ask the service provider when it comes to the security of your sensitive data within the cloud, regardless of if you’re starting a new project within the cloud, or have been with one for many years. With the answers that you are given, you can then select the cloud platform that makes the most sense and is also the most transparent on what they offer in terms of security; the degree of competence of the answers provided will allow you to judge just how secure your data may be with that cloud provider and how seriously they take the security of sensitive data that is critical to your business.
When it comes to the cloud, expansion is the only option and forward is the only way to go; its flexibility, on-demand capacity and just as important – its scalability means it’s seen as the ideal platform to support businesses. With such a range of benefits that cover everything from financial advantages to reducing the worry and issues involved in installing and maintaining hardware (which obviously keeps both the finance and IT teams content!) Entrusting all on to a cloud service provider that makes you the guarantee it will look after all areas – from performance and storage to email – is definitely a very tempting offer you won’t want to refuse.
Here are a few reasons why
The same kind of attacks that target on-premise data centre environments are transfering to the cloud – Attacks that are characteristic to on-premise centres, like malware, brute force attacks, and botnets for example, are also now zoning in on cloud environments. While the quantity of user applications that are moving to the cloud increases, so will the number of botnet and malware attacks.
The breadth and depth of attacks shows threat diversity in the cloud is on the rise – This year, the range of attacks which exist and are a threat to companies within the cloud has increased significantly, to rival that of on-premise data centres. Companies need to pay just as much attention to the sophistication of their security in the cloud, as they would ordinarily to protect their data.
The solutions classically relied upon to combat these threats aren’t sufficient – To be able to determine the efficiency of security solutions, such as anti-virus programmes, in major public clouds globally, new patterns of attacks and emerging threats were found through a honeypot project. Through this, a very interesting observation was made that was just as disturbing; of the malware collected 14% was considered to be undetectable by 51% of the world’s top anti-virus vendors.
There is some good news however – there is a lot that companies can do in order to protect themselves; first of all they need to be fully educated on what their business and applications need from a security and compliance point of view.
To be absolutely certain that the cloud provider is taking the security of your data seriously, you should ensure that the service provider can answer the following questions with confidence:
What is their data encryption strategy and how is it implemented?
Encryption is the most ideal method for protecting sensitive data; data is left unreadable to anybody who is unauthorised. It would be preferable for the cloud service provider to be knowledgeable in who exactly controls the keys and what standard of encryption is utilised.
What is the hypervisor and provider infrastructure patching schedule?
Like previously mentioned, exploits such as malware are on the rise, so it’s imperative that the provider patches and updates the infrastructure with frequency. This aims to minimise the threats to their customer’s data.
How do you isolate and safeguard my data from other customers?
A consequence of the huge capacities, providers (unless it has been otherwise specified) will house data for multiple companies. You should ask how they segment this data, and what controls they have in place to prevent the accidental sharing as well as how the controls are executed.
How is user access monitored, modified, and documented?
It’s important to be aware of who is accessing the data to prevent it being compromised. Separation of duties needs to be in place so that for example, the provider’s administrator doesn’t have total authority and control over your data. It’s necessary that the provider can give a concise and clear documentation and reporting.
What regulatory requirements does the provider subscribe to?
With several regulatory controls that a provider can stick to, they can show best practice and compliance. If a provider sticks to industry standards, then it’s a great sign that they take the integrity and security of your data seriously.
What is the provider’s back-up and disaster recovery strategy?
Ask about what the track record is in availability and make sure that there is transparency to its infrastructure. Ensure that boundaries have been properly defined so that everyone knows their responsibility; it may be that you are entirely responsible for the backup of your own data.
What visibility will the provider offer your organisation into security processes and events affecting your data from both front and back-end of your instance?
This is a vital part to security strategy, especially from a forensic and audit stand point. In the event of an incident occurring and needing to be investigated, you must be aware of every piece of information that’s available in order to figure out just how and why it occurred, but more importantly – how the action was solved immediately. Therefore, your cloud service provider should be able to tell you about how it follows this process and how you are kept alerted in such situations.
These are only a small sample of questions you might want to ask the service provider when it comes to the security of your sensitive data within the cloud, regardless of if you’re starting a new project within the cloud, or have been with one for many years. With the answers that you are given, you can then select the cloud platform that makes the most sense and is also the most transparent on what they offer in terms of security; the degree of competence of the answers provided will allow you to judge just how secure your data may be with that cloud provider and how seriously they take the security of sensitive data that is critical to your business.