Businesses are increasingly turning to cloud based platforms to manage and process the huge quantities of data generated during the course of their day to day interactions with customers, partners, vendors etc. Cloud provides new opportunities to create hyper efficient operations and leverage real time data analytics which help businesses to get the competitive edge in the market. Adoption of cloud has reached stratospheric heights with the next breed of agile and aggressive businesses pushing the boundaries of innovation in order to exceed the customer’s expectations of them and at the same time upending entrenched competition.
Cloud adoption data and insights
According to the IDG Cloud Computing Survey, nearly 72% of the enterprises have at least one application or a portion of their computing structure running on the cloud. The enterprise segment will increase their cloud investment more than their counterparts in the SMB segment. Various cost and operational challenges will drive cloud adoption in the future. Top cloud adoption catalysts are: lowering the total cost of ownership (44%), enablement of business continuity (50%), and speed of deployment (46%). The study also points out to the increasing role of the CIO and top IT executives (76%) in purchase decision making. However, the question of security is going to be increasingly critical to any cloud implementation in the future. According to the report, concerns about the security of cloud computing solutions are on the top of every CIOs agenda with 67% considering it to be very critical.
The State of Security on the Cloud: Stats and Facts
Despite cloud’s stratospheric rise, lingering doubts remain about data security due to the vast number of security breaches widely reported in the media in the last few years. “Data protection”, “the enabling of security protocols and measures” and “data loss” are some of the factors giving the nightmares to enterprises who are planning on transitioning to the cloud environment. Research on the state of data security conducted by the Ponemon institute arrived at the following conclusions which are given below -:
- Cyberattacks have increased in frequency and in the cost to remediate the consequences: In 2014 cyberattacks constituted 42% of the data breaches increasing to 47% in 205. The cost has increased from $159 to $170 per record in the same period
- Increase in business loss due to data breaches: Average loss to business resulting from data breaches increased from $1.33 million to $ 1.57 million for the year 2014 and 2015. The amount of loss was calculated on the basis of customer turnover, increase in customer acquisition activities, reputation loss and loss of goodwill
- The cost of breach varies from industry to industry: Highest in healthcare ($363) followed by education ($300) transportation ($121) and public sector ($68). The cost of security breach in retail jumped from $105 to $165 within the period 2014 to 2015
Security guidelines for business transition to cloud?
Firstly, businesses will have to make the distinction between Public and Private, Hybrid and community clouds platforms because the challenges/concerns for data security are different for different platforms. When you operate in a public cloud, then you operate on shared network and computing infrastructure. Also, the cloud may be owned by a third party provider who may outsource security to outsiders, escalating security risks.
Then there’s data. Typically data is of three types: Data at rest (Data stores), in transit (networks) and in play (applications). In a public infrastructure everything is at risk. If you use encryption, then management of encryption keys is a big challenge/headache. Ideally, only the owner of the data should have the key. Also, in a shared system, there is no way of knowing who your neighbours are in the public cloud. Also, encrypting data before storing in the cloud would be counterproductive because then you will lose out on the functionality provided by the cloud. In a private cloud, the tenants may all belong to one company which gives better control over the infrastructure, encryption, keys, audits, compliance etc.
These are questions of significant importance to the industry considering the speed with which businesses are transitioning to the cloud. Several industrial bodies have taken note of the situation and set up standard guidelines for making business transition to cloud smooth and incident free. For example, the government of UK has come up with the Guidance Summary of Cloud Security Principles which provides the guidelines for making the transition.
The guidelines are as given below
- Data in transit protection
Consumer data transiting networks should be adequately protected against tampering and eavesdropping via a combination of network protection and encryption.
- Asset protection and resilience
Consumer data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure.
- Separation between consumers
Separation should exist between different consumers of the service to prevent one malicious or compromised consumer from affecting the service or data of another.
- Governance framework
The service provider should have a security governance framework that coordinates and directs their overall approach to the management of the service and information within it.
- Operational security
The service provider should have processes and procedures in place to ensure the operational security of the service.
- Personnel security
Service provider staff should be subject to personnel security screening and security education for their role.
- Secure development
Services should be designed and developed to identify and mitigate threats to their security.
- Secure consumer management
Consumers should be provided with the tools required to help them securely manage their service.
- Identity and authentication
Access to all service interfaces (for consumers and providers) should be constrained to authenticated and authorised individuals.
- External interface protection
All external or less trusted interfaces of the service should be identified and have appropriate protections to defend against attacks through them.
- Secure service administration
The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.
- Audit information provision to consumers
Consumers should be provided with the audit records they need to monitor access to their service and the data held within it.
- Secure use of the service by the consumer
Consumers have certain responsibilities when using a cloud service in order for this use to remain secure, and for their data to be adequately protected.