Across the world, organizations are adopting cloud-based services to gain the benefits of rapid deployment, scalability, and cost savings. Yet security worries still prevent many organizations from moving their sensitive data and business functions to the cloud. With cybersecurity breaches on the rise, executives and boards of directors are increasingly concerned about protecting their organizations' data and information systems, whether they are in or out of the cloud. C-suite executives are demanding rigorous due diligence and greater security controls—and wondering if it's enough.
The hesitation to fully embrace the cloud is perpetuated by two common but conflicting myths about its security: one, that the cloud is secure by default; and two, that the cloud can never be secure enough for sensitive data and information systems. The reality is that, with proper planning and controls, the cloud can be secure enough for even sensitive data and information systems.
How can your organization reap the full benefits of the cloud and avoid potential security risks? By following four fundamental steps:
Establish clear controls and responsibilities
Who's in charge of your data security? It's essential to identify and clearly define which security controls are managed by your cloud-service providers (CSPs), and which are your organization's responsibility. Organizations should never rely solely on their CSPs to secure their data and information systems. Ultimately, your organization is responsible for securing these valuable assets, wherever they reside.
Because the dividing line between a CSP's cybersecurity responsibilities and those of an organization can be fuzzy, it's important to formally discuss and document these responsibilities with a CSP before signing a contract with them. Verify any assumptions about how a CSP will protect your organization's data and information systems.
Many CSPs, such as Amazon Web Services, have a "shared responsibility model" for security controls. With this model, the CSP takes responsibility for securing the cloud Infrastructure while the customer is responsible for securing the applications and data hosted on that infrastructure. If shared responsibility seems appropriate for your organization, look for CSPs that have formally documented this model. You want to choose a mature organization that clearly understands its security responsibilities.
Encrypt all data being sent and stored
Making a secure move to the cloud includes ensuring that all data is sent encrypted when it's being uploaded to or downloaded from the cloud. Also be sure to strongly encrypt all sensitive data (e.g. medical information, financial data) stored in the cloud.
Strictly limit who is allowed to decrypt sensitive data stored in the cloud. Never store decryption keys with encrypted data in the cloud. And do not share your cryptographic keys with your CSP – your organization should have sole control over them. Reduce your risk by documenting and implementing a formal cryptographic key management process that covers the generation of strong cryptographic keys together with their secure distribution and storage.
Spell it out: Service-level agreements and contracts
A service-level agreement (SLA) can eliminate gray areas by defining expected levels of service for a CSP along with the consequences (such as a customer service credit) if such levels are not met.
In addition to standard requirements, such as availability and performance, be sure to include cybersecurity-related items, such as the maximum time before a cybersecurity incident at a CSP must be reported. This sets a tone with the CSP and lets them know your organization takes cybersecurity seriously.
Your contract with a CSP should clearly state the security controls and cybersecurity standards that the CSP must maintain (e.g., PCI DSS, HIPAA, FISMA)— along with your right to audit their compliance. It should state that your organization owns the data it has stored with the CSP, and that you have the right to get the data back. It should also give your organization the right to stop using the CSP if it does not meet the requirements of your contract or SLA.
Go with an audit-proven CSP
Choose a CSP that regularly has independent third-party assessments of their cybersecurity practices. Third party assessments are usually more rigorous and meaningful than self-assessments. Depending on the nature of your business, good third-party assessments for CSPs include SSAE16, PCI DSS, FedRAMP and CSA STAR. Whenever possible, ask to see the full assessment reports; they contain much useful information about CSP cybersecurity practices.
In the end, the cloud is as secure as your organization and your CSPs make it—together. Choose a mature CSP that has gone through independent audits. Insist on detailed contracts and SLAs. Encrypt your data. And establish clear internal controls and responsibilities. These essential steps will enable your organization to move to the cloud with confidence.
Steven Weil is security director at Point B, Point B, an integrated management consulting, venture investment, and real estate development firm. Over the past 20 years, he has provided a wide variety of cybersecurity services to hospitals, universities, state government agencies, cities and large companies throughout the United States.