Avatar

Security concerns around cloud adoption can keep many IT and business leaders up at night. This blog series examines how organizations can take control of their cloud strategies. The first blog of this series discussing the role of data security in the cloud can be found here. The second blog of this series highlighting drivers for managed security and what to look for in a cloud provider can be found here.

In today’s workplace, employees are encouraged to find the most agile ways to accomplish business: this extends beyond using their own devices to work on from anywhere, anytime and at any place to now choosing which cloud services to use.

Why Bring Your Own Service Needs to be on Infosec's Radar
Why Bring Your Own Service Needs to be on Infosec’s Radar

In many instances, most of this happens with little IT engagement. In fact, according to a 2013 Fortinet Survey, Generation Y users are increasingly willing to skirt such policies to use their own devices and cloud services. Couple this user behavior with estimates from Cisco’s Global Cloud Index that by the year 2017, over two thirds of all data center traffic will be based in the cloud proves that cloud computing is undeniable and unstoppable.

With this information in mind, how should IT and InfoSec teams manage their company’s data when hundreds of instances of new cloud deployments happen each month without their knowledge?

Additionally, what provisions need to be in place to limit risks from data being stored, processed and managed by third parties?

Here are a few considerations for IT and InfoSec teams as they try to secure our world of many clouds:

1 Acknowledge that Everything is in the Cloud or Being Moved to the Cloud

According to the recent IT Impact of Cloud on IT Consumption Models Survey, from 4,200 IT leaders surveyed, security concerns, particularly around data protection ranked as the number-one inhibitor to cloud adoption.  However, the business reality is the cloud enables business units and workers to utilize new applications, enjoy constant availability and with a fraction of the time it would otherwise take to deploy in house and at much lower cost.

And, while many IT leaders and InfoSec professional view the lack of data control and lack of visibility into public cloud providers’ data handling and threat posture. Cloud based threat intelligence can provide a degree of confidence and enable near-real-time security decision-making.

With more traffic going through the cloud, security solutions that also rely on the cloud can quickly and easily analyze this traffic and gain from this supplemental information. In addition, for smaller organizations or those with budget constraints, a well-protected and well-managed cloud service can offer more security safeguards than a business’s own servers and firewalls.

Download the Cisco 2014 Annual Security Report
Download the Cisco 2014 Annual Security Report

2. Focus on Securing Your Organization’s Lifeblood

Data is the lifeblood of today’s organizations and security must focus on points of data interconnects rather than just simply on ensuring a secure and compliant infrastructure.  For each organization data has a different value that is oriented around their business model and industry vertical.  Organizations need to identify data that is mission critical and ensure strong protection measure s to ensure the confidentiality, integrity, availability and access of that information Enforcing policies based on these data points enables IT to play a strategic advisory role to the business and cloud providers, promoting stronger protection against information assets falling into the wrong hands.

3. Harness Big Data for Actionable Security Decision Making

Big data has great relevance for both business and security protocols. Real-time cloud threat data feeds can be used to make more accurate predictions about risk, because they harness the collective intelligence of users in real time and can aggregate threats from around the world.

Because potential sources of security –related data are endless they require scalable architectures and big data-processing facilities such as HADOOP and OLAP (online analytical processing).  These architectures and processing facilities will vary based on each organization’s security and business requirements as well as data sources.  It is critical that organizations have the right platforms in place so that they can apply the analytical techniques with which to identify potential data breaches, data leakages and system compromise so that mitigating controls can be applied.

4. Cloud security is not a single “amorphous” model – Choose Carefully.

It’s no surprise that Gartner predicts cloud computing will become the bulk of new IT spend by 2016, especially as new cloud solutions offer more scalable capabilities delivered “as a service.” However, as the cloud market is evolving rapidly, companies today can choose from many different approaches for sourcing, deploying, securing and operating cloud solutions. When organizations ask me where they should get started, I tell them there isn’t a single proposal that will fit all organizations. Rather, IT and InfoSec needs to map closely to their business counterparts’ needs.  Work with trusted partners on building the right models whether it is a hybrid model or outsourced to scale to not just todays but future business needs. I’m confident that through this approach, organizations can prepare for optimal engagement through the cloud rather than feel marginalized as the phenomenon of Bring Your Own Cloud takes off.

Interested in learning more about instituting control around cloud security? Read my recent Wired article: What CHAOS Theory means for Today’s CIOs.  Also be sure to follow @CiscoCloud and use #CiscoCloud to join the conversation.

In the same blog series:

  1. Data Security Through the Cloud by Evelyn de Souza
  2. Drivers for Managed Security and what to look for in a Cloud Provider by Evelyn de Souza

Additional Resources:

http://www.slideshare.net/CiscoBusinessInsights/cisco-2014-annual-security-report

 



Authors

Evelyn de Souza

Cloud Data Governance Leader

Chief Technology and Architecture Office