The cloud has been around long enough that there are no shortage of security protocols and mechanisms available to keep data secure. However, in considering the actual move to the cloud there are a few major pain points that come to the forefront, from maintaining security during the actual migration to outsourcing one of a company's most important tasks. And yet for organizations that have not yet made the move, or only partially (and perhaps haphazardly) migrated to the cloud, the benefits of being based in a cloud system is undeniable, with increases in flexibility, efficiency and profitability. Yet it can be hard for an institution to fully commit to cloud computing because of security concerns. Let's take a closer look at what those concerns are and how to keep security tight when you do decide to make the move.
Three Important Security Considerations When Migrating to the Cloud
- Security Weaknesses at Point of Migration: There's a lot of security measures once in the cloud, but getting there can be a major point of weakness. This weakness applies to the first time data is uploaded to a public cloud system, as well as the continual movement from workflow, that likely comes from a variety of user locations and platforms.
- Adaption to a New Cloud-Based Security Protocol: Old habits die hard, and moving to a new cloud-based system requires giving up the old security protocols and adapting a whole set of new ones. Having to let go of the old and bring in the new is a situation ripe for human error.
- Dependence on an Outside Supplier: For those of us in the business of keeping our institution's computing secure, the idea of depending on an outsider for security seems wrong. And it's worth trusting that instinct. While moving to a public cloud requires dependence on a third party, it's still necessary to do due diligence around what precisely you can rely on that outside vendor for.
Solutions to Keeping Data and Workflow Secure as It Moves into the Cloud
Currently, the vast majority of institutions are using cloud computing. Since 2018, 96% of organizations have used it to some capacity. The benefits grow each day as entirely on-site computing makes less and less sense in today's world. The main drawback with moving primarily to the cloud is always security concerns. Here are some of the best ways to make sure the move goes smoothly.
Plan Ahead: Don't Rely on Legacy Security
Those who have migrated to the cloud partially over time are particularly vulnerable to making this error. To expect the on-site security protocols to function properly while cloud computing is foolish. It's necessary to create an organization wide security protocol that is specifically based on the security needs of cloud computing, and based on the specific security needs of the cloud system your organization is using. The key here is to work closely with your cloud service provider to create a system that works with your organization's existing framework but is built specifically for the new needs which the cloud will require.
Understand What Your Data Consists Of
Many treat on-site data as general storage, not distinguishing between kinds of data in how they store their data. This may not be the wisest course of action for the cloud. Being able to understand the kind of data you have, and the sorts of protections you need will help to create a safe migration plan. Some people even find it is worthwhile to use different cloud service providers (CSPs) for different types of data and tasks. Sorting data also allows an organization to undertake a phased migration. For example, this could mean moving lesser value data first.
Know the Rules
From the GDPR to HIPAA, you are no doubt very familiar with those regulations that affect your organization. But the key in maintaining regulation compliant security within the cloud, is being certain your CSP meets your needs, and that you are prepared for what changes are coming down the line. Moving forward it is likely the California Consumer Privacy Act will portend broader security measures going into effect across the country. Are both you and your CSP ready to adapt to upcoming regulations? Knowing what you need now, and what your needs will be moving forward helps you choose the right CSP to most effectively meet those needs.
Keeping Secure in the Cloud
Knowing about your public CSP is a key part of establishing and maintaining security in the cloud. There are a few basic models of public clouds, and all of them offer different models for shared responsibility of security. Let's look at the three main kinds:
- Software as a Service (SaaS): In this model, the CSP is responsible for more of the security: hardware, storage, network, virtualization, operating system, middleware and application. The user is responsible for data and endpoints.
- Platform as a Service (PaaS): Is the middle path, and the CSP is responsible for hardware, storage, network, virtualization, operating system and middleware while the user is reponsible for applications, data and endpoints.
- Infrastructure as a Service (IaaS): This model places the most responsibility for security with the user. The CSP is responsible for hardware, storage, network and virtualization, while the user is reponsible for the operating system, middleware, applications, data and endpoints.
Topics to Cover With Your Cloud Service Provider
One of the most important parts of insuring security, is being able to trust your CSP. Here are a few questions that must be asked as part of due diligence.
- Commingling of Data: When moving to a public cloud, one of the largest fears is how an organization's data might be commingled with another's. Asking how the CSP makes certain that only those authorized can access data is a key question.
- Background Checks: You know who works for you, and that you can trust your team with your data. But the same cannot necessarily be said for the CSP, who's employees could have access to your data. What background check system is in place to make certain that everybody who could access your data is trustworthy?
- Independent Audits: Audits go both ways. Ask what kind of audit system is in place for the CSP you choose to use. Make absolutely certain that CSP you choose will meet all of the standards of any independent audit that could be conducted within your organization.
One of the most powerful ways to test for security effectiveness is through penetration testing. It's necessary to see if the CSP you choose allows for it through an API, but if so, this allows the security of the containerization process to properly tested.
Use Security Tools
- Masking VMs: Some of the world's most infamous hacks, including of organizations as large as Amazon and GoogleDrive, have been through VMs, or the underlying hardware from the host. Google introduced shielded VMs which allow for an additional level of security.
- Comprehensive Encryption: The higher the level of encryption, the better protected you are in the case of a breach. Data encryption is one of the most important tools both at the original point of cloud migration, as well as all follow-up cloud movement and maintenance.
And as always, one of the most important ways to maintain security is to follow best practices, here is a guide from the non-profit organization, the Cloud Security Alliance, which offers security guidelines for the cloud.