Information security has always revolved around three fundamental questions:
- Where is my data?
- How is it being protected?
- Who has access?
These questions still apply when putting information assets in a cloud. They’re just more difficult to answer.
“In a traditional environment,” says Malcolm Harkins, Vice President and Chief Information Security Officer at Intel, “if you know where the physical server is, you know where the data is. You also have much more control over data access and protection.”
Tantamount to castles, traditional environments have stout security measures protecting the perimeter like a moat and drawbridge. Conversely, cloud environments are more like an open society, without established boundaries or distinct points of entry.
“In a virtual world, there is no perimeter,” says Steve Martino, Vice President of Information Security at Cisco. “Where the data resides, who has access, and how they are accessing it are all in flux. And the proliferation of mobile devices and BYOD [Bring Your Own Device] policies adds another layer of variation and complexity.”
It’s safe to say the cloud has made information security, well, cloudier.
Weighing risk and finding trust
To deal with the nebulous nature of the cloud, organizations must move from perimeter protection to identity and policy enforcement, with:
- Visibility of user activity
- Policies that control when, where, and how users access data
- An understanding of how data moves within the cloud, and where it is stored
“Security issues are different for public, private, and hybrid clouds,” says Martino. “For example, Cisco has a robust private cloud, but we also use public cloud offerings like salesforce.com. We need to consider the data protection, management, and access policies differently for each one.”
Cloud security decisions should be based on risk, both Harkins and Martino suggest.
“Organizations need to think carefully about the criticality of the data and services being delivered,” Harkins recommends. “You can then assess risk tolerance and control requirements accordingly. It’s a matter of determining what type of protection is needed and what type of visibility and control must be maintained.”
“When quantifying risk, it’s often helpful to look outside the organization,” adds Martino. “What is the value of the data? Who would want it? And how would they potentially gain access? Answers to those questions will help determine what type of cloud environment is best, and what type of controls and policies are needed.”
The optimum solution, both security experts agree, inevitably boils down to trust.
“Trust is a real-time thing,” explains Martino. “It is constantly evolving and changing. Trust involves users and devices, both internal and external, as well as applications and data. It involves the technologies supporting the cloud, and the people delivering the cloud solution.”
“How the technology is used is often more consequential than the technology itself,” Harkins adds. “This is the same for an internal private cloud or a massive public cloud like Facebook. The more access you allow, the less you know about the people and devices accessing your data. And the more information you share publicly, the more vulnerable you will be. This is why security policies and controls are so vital.”
Still, technology underpinnings are important. Harkins and Martino say organizations should be as comfortable with the foundational elements of a cloud solution as they are with their cloud provider.
“There’s an element of brand reputation and trust in everything, but you also have to consider the model, how it is used, and who is using it,” says Martino, who provides a fitting analogy. “You wouldn’t put your teenager behind the wheel of a brand new Ferrari immediately after she passes her driving test. At the same time, you probably don’t want to put her in a tin can with a shaky tire.”
In other words, carefully consider your users, the devices they use, your data, and how they come together. Determine your tolerance for risk. Assess your levels of trust. And secure your cloud-based information assets accordingly.