By Justin Fielder, Easynet Chief Technology Officer
If I was to suggest businesses move IT services to the cloud to improve security, there’s a strong possibility I would be laughed out of town. Despite businesses clearly seeing the benefits of migrating to the cloud, research shows that, for 61% of European CIOs, security is still the biggest concern when considering such a move.
For many network professionals, there is a clear comfort factor which derives from having a virtual boundary fence built around their network, within which sits corporate data and applications. 45% of IT professionals surveyed by CIO.com in the US said their biggest cloud security concern is a lack of perimeter defences and/or control of the corporate network.
When we drill down further into the inhibitors to cloud migration, the concerns very specifically relate to the storage of data and its privacy. Historically CIOs have found peace-of- mind by keeping data on the “inside”, protected by firewalls, intrusion detection/protection systems and a myriad of other technologies designed to keep you and your data safe from the outside world.
Whilst this provides a nice room full of flashing boxes, is that approach really so secure, or do you just feel more secure because you can see and touch both the data and the things that are meant to be keeping it safe?
A move to the cloud necessitates a change in mind-set as you outsource trust and delegate control. However, moving your IT to the cloud can actually result in a dramatic improvement in data security, increasing control and accountability, as well as actually making you feel more secure when you consider all risks.
The first step when switching to the cloud should involve an in-depth audit of a company’s IT estate, management and application strategy. These audits shine the spotlight on a company’s security, and can unearth some uncomfortable truths. By taking the perimeter approach to security, it’s easy for a business to turn a blind eye to the overall eco-system that is processing its data.
This isn’t necessarily an “IT” challenge, it can be simple, physical processes that really create the problem. For example, businesses should have detailed processes in place for the secure disposal of end-of-life equipment. They might employ a specialist company to remove it, recycle it or might even donate it to a local charity.
But how rigorous are the checks on all equipment before it leaves the premises? Do you use a single secure disposal company for every piece of IT equipment, or just for the obvious security risks of PCs, servers and hard drives? Is every end-of-life BlackBerry wiped of personal and company data, or have some of them just been “handed down” by the user or the IT department? How long does the equipment sit with the IT department before it’s removed?
An IT team surrounded by dusty keyboards, monitors and old laptops is commonplace, especially when staff move companies frequently and staff restructuring programmes are not uncommon, leading to dozens of pieces of equipment waiting to be wiped clean of confidential data. When there is the need for a quick replacement due to a fault, is the equipment correctly wiped, or just formatted and used to fix the problem?
Add to this the risk of well-intentioned employees putting confidential data in the recycling bin, the possibility of hardware theft, staff transferring company data to their personal devices and the chance that your employees could leave company laptops or their private devices on public transport, and it’s easy to see that a safety wall around your data can topple over fairly easily.
Migrating your data to the cloud isn’t about shifting the blame, or spreading the risk. Cloud vendors have tight security: being secure and keeping their platforms running are the lifeblood of their business.
Concerns about others accessing data should be addressed head-on by your cloud vendor, which should have encryption, authentication and authorisation techniques that far exceed your requirements. Ask them where they will be storing your data, and what the internal and external controls are around the storing of that data. Treat them as if you were giving them the keys and access rights to your network, server rooms and full access to your staff’s credentials.
There are significant benefits from trusting a cloud provider with your data. For the right providers, securing the platform and the customer data are priorities for their business, and due to their scale they will have resources to spend which your organisation is unlikely to match. They will have dedicated staff whose role it is to ensure the platform and data are secure on an on-going basis, and they will be keeping up-to-date with all the relevant threats.
This is another reason why migrating to the cloud can improve your security: consider the CTO who delays expenditure on operating system, software and virus updates. In the cloud, you no longer have to allocate a hefty chunk of your IT budget to these updates because they are built into the service charge. But do remember to check your vendor’s financial stability. Talk to their customers and gather your own intelligence on how they operate as a business. If the provider collapses and they own the hardware on which your data is housed, how are you going to get it back?
Don’t just look at what they do to protect themselves from the “outside” world, but assess how they solve the “internal” issues that I outlined earlier.
Ensure that access to their physical machines is akin to attempting to get into Fort Knox. Find out what their procedures are for data retention, access control, equipment disposal and the 20+ other things that are critical when your data is stored on them. Vendors should take accountability for breaches and show you proof of compliance with security measures, and have stringent Service Level Agreements, ideally with ISO27001 and ISO9002 accreditations to demonstrate that they adhere to processes.
Finally, whilst I’ve outlined the critical questions you should ask, you also need to gaze at yourself in the mirror to ensure that you are not the weakest link in the chain.
Whilst the onus on security lies with the cloud vendor, if it all goes wrong then the data owner is the one who has the ultimate responsibility. The UK Information Commissioner’s Office (ICO) has published guidelines which clearly state that in the event of a security breach, the company who generated the data is liable – not the cloud vendor.
Yes, there has been the occasional high profile security breach of data in the cloud. In reality, though, people are the weakest link, whether involved in hacking scandals, DDos attacks, phishing attacks, gaining unlawful access to sensitive information or hardware theft.
There are simple steps you can take as a business to encourage your staff to maximise security in a move to the cloud. Ensuring that staff make their passwords impossible to guess is more important than ever, because if in a cloud-based service you have a post-it note stuck to a monitor with the password written on it, then that post-it note is not just visible in the office, it’s visible to the entire world.
Tools like LastPass which can hide multiple different passwords behind a single ‘master’ password can help, but good old fashioned employee education is also critically needed here.
We know that people are more of a risk than computers. Whether or not you have your arms wrapped tightly around your own corporate network is not going to mitigate this risk. The cloud offers many advantages, and if you get it right, actually making your business fundamentally more secure can be one of them.