SEMA News—August 2019

INTERNET

By Joe Dysart

Getting Cloud Security Right

A Game Plan Offers a Solution

Companies need to provide their own security guarantees. You’ll need to be sure that ID and passwords on your local network are hacker-deterred.

Businesses looking to move to the cloud can ensure that their security is world class with a game plan developed by one of the leading nonprofits in the space: the Cloud Security Alliance (www.tinyurl.com/cloudsecurityalliance-org).

The Alliance’s free, 53-page e-book—a collaboration from some of the best minds in cloud security—offers an extremely detailed, extremely thorough look at every aspect of security to consider before you make the jump to cloud computing. If you’re looking for a guidebook completely devoid of fluff and packed with insights on how to ensure you nail your cloud security concerns cold, this is the e-book for you.

“We developed the guidelines with cloud customers in mind, especially for small and medium enterprises that lack professional security teams to design, deploy and operate secure cloud services in various cloud environments,” said Dr. Chen Kai, cybersecurity specialist at Huawei Technologies and a lead author on the e-book. “These guidelines will help cloud customers make informed decisions on selecting cloud service providers that best complement their organizations’ specific needs.”

Added Jim McDonough, vice president of inside sales at ThreatStack (www.threatstack.com), an IT security firm that provides third-party security services for cloud computing: “Security is a top concern in the cloud—and everywhere else these days—so it’s critical to ask detailed and explicit questions that relate to your unique use cases, industry, regulatory requirements and any other concerns you may have. Consider what security features are offered free out of the box for each vendor you’re evaluating, which additional paid services are available from the providers themselves, and where you may need to supplement with third-party partners’ technology.”

Most companies today are only 20% along their cloud journey,” said Ginni Rometty, IBM’s CEO. “The next 80% is about unlocking real business value and driving growth.”

Of course, moving to the cloud does involve some trade-offs. More than a few businesses are uneasy with the idea of entrusting their data to a cloud service provider, no matter how noble the provider’s reps may seem during face-to-face meetings. There can also be a latency problem, where software that performs wonderfully on your desktop computer may run more slowly—or sometimes much more slowly—when accessed via the cloud.

Agreeing to use software provided by a cloud service provider can also mean relinquishing your right to decide when you’d like to upgrade to the newest version of a software package. For example, sometimes when a cloud service provider decides its time to change to the latest version of Microsoft Word, you’re also going to have to change—whether you like it or not.

But even with those caveats, it’s been very tough for legions of businesses to resist the siren call of cloud computing, given its ability to enable companies to significantly reduce computing costs, offload computer hardware purchasing headaches to a cloud provider, and turn over much of the maintenance and service problems associated with computing to a cloud service provider.

In fact, 96% of IT pros surveyed in January 2018 said that they were using the cloud in some way, according to Right Scale’s “2018 State of the Cloud Survey” (www.tinyurl.com/info-flexerasoftware-com-SLO). And 26% of the 997 IT pros surveyed for the study said that their companies were spending more than $6 million annually on public cloud services (clouds that are shared by more than one company). Another 52% in that same group said that their companies were spending more than $1.2 million annually on public cloud services.

“Most companies today are only 20% along their cloud journey,” said Ginni Rometty, IBM’s CEO. “The next 80% is about unlocking real business value and driving growth.”

That certainly sounds promising, but you need to be sure you’ve got your back covered from a security standpoint to ensure that value and growth truly materialize. One of the key insights of the Cloud Security Alliance’s e-book is that security is actually a shared responsibility when a company moves to the cloud, with the cloud provider on the hook for some vulnerabilities and the company responsible for others, according to the Alliance’s Kai.

For example, any cloud service provider worth its salt will ensure—in writing—that it will provide physical security for all the computer equipment it’s using, provide backup and recovery for your data, and have a clear disaster-management plan in place should your cloud services go sideways for any reason, according to Kai.

But companies also need to provide their own security guarantees. You’ll need to be sure that ID and passwords on your local network are hacker-deterred, for example. And you’ll need to ensure that the software and applications you’re using to access the cloud from your premises are also secure, according to the Cloud Security Alliance.

Meanwhile, businesses with deep pockets may want to take an even deeper dive into cloud security with the Cloud Security Alliance/One Trust VRM Tool (www.tinyurl.com/cloudsecurityalliance-arti). A software-driven solution, the tool offers businesses the ability to access reviews on how more than 4,000 cloud service providers stack up when it comes to security and privacy.

Essentially, the solution automates the entire management of cloud service providers for companies, including onboarding and offboarding cloud service providers, triaging providers and maintaining records needed for accountability and compliance. With the tool, companies can:

• Choose from prepopulated Cloud Security Alliance assessment templates.
• Modify existing templates or create custom questionnaires.
• Distribute assessments internally and to external vendors.
• Populate vendor information from the tool’s database.
• Identify, track and mitigate vendor risks through workflows.

“We want to give privacy and security professionals the power to automate and simplify what can be an overwhelming task of managing and monitoring vendor risk,”said Kabir Barday, CEO of OneTrust, which is a privacy software company.

The only hitch: You need to be a member of the Cloud Security Alliance to get free access to the tool. For a standard membership, that runs a cool $10,000.

Besides the above offerings, the Cloud Security Alliance also enables a cloud service provider to be certified as employing security best practices after undergoing a thorough evaluation by the Alliance. Like a Good Housekeeping Seal of Approval, security certification from the Cloud Security Alliance lets a company know that a cloud service provider has the very latest technology in cloud security—and knows how to use it.

For those across the pond, a similar certification service is offered by the British Standards Institution (www.bsigroup.com/en-us).

Joe Dysart is an internet speaker and business consultant based in Manhattan. Contact Dysart at 646-233-4089, joe@joedysart.com and www.joedysart.com.