Reactions to the problem of security in the cloud range all the way from ignoring the issue completely to clinging so tightly to traditional IT security philosophies and methods as to ban cloud services entirely. Companies that have experienced governance and compliance problems, or outright data breaches, often exert additional scrutiny of the process. And it’s a justifiable concern: Significant security breaches can adversely affect a company’s reputation for years, resulting in low customer confidence, lost current and future revenues, a poor public image, and legal liability.
On the flip side, in times of tight IT budgets, overpayment for security services must be avoided. What’s the best way to resolve this conflict? We believe that it lies in taking a holistic, risk-based approach to security in the cloud that gives companies a consistent, structured way of deciding which kinds of data can be safely moved there.
The key to both the problem and the solution lies in the very nature of cloud computing — that critical data must be moved out beyond the corporate firewall and given over to a cloud services provider that offers storage and provides access. As such, cloud computing raises security questions that cannot be resolved with traditional IT security practices. These questions include the following:
- Which services and related data can be moved safely into the cloud, and when?
- How will sensitive data be protected in storage, in transit, and in use?
- How can access to cloud-based data and services through new hard-to-control devices such as smartphones and iPads be managed in line with security requirements?
- What security levers built into cloud architecture components can be pulled to mitigate new risks?
- How can companies be sure that cloud service providers are compliant with their security requirements?