Public cloud may be able deliver greater agility to enterprises, but it can also complicate the already fraught information security landscape. And according to a Ponemon Institute report issued this month, cloud may mean that when security breaches do happen, the cost could be significantly higher.
However, the cloud needn't to be a criminal’s paradise if IT managers draw up a contingency plan before placing data into a cloud environment and use a multilayered approach to security.
Speaking last month at the Gartner IT Infrastructure Operations and Data Centre Summit in Sydney, the analyst firm’s research director, Michael Warrilow, told delegates that they are not going to get a “perfect risk assessment” when looking at cloud computing.
“In terms of cloud services, it’s around getting what information you can and making the decision. If you wait for the perfect [risk assessment] information, you’ll be waiting forever. The business would have gone past you and purchased cloud services,” he said.
“If something goes wrong, there is a bad sentiment in the organisation towards cloud computing and you [the IT manager] will get blamed for it anyway.”
- Securing the Internet of Things in a connected world
- Securing your data in a BYOD world
- The rise of security-as-a-service in Australia
According to Warrilow, some organisations he talks to are trying to find the “ultimate secure cloud provider”.
“I’ve got on calls with [Gartner] clients who have said that they’re going to use a public cloud and the public cloud provider is going to do my first level support.”
However, Warrilow warned that enterprises will not get that type of support from a public cloud provider. He advised people using public cloud to add a layer of managed services support from a specialist provider.
According to Chris Grant, managing director of consulting firm Protiviti, the growth in mobile e-commerce and move to public cloud computing could open up “a whole new world” of security vulnerabilities.
“According to Gartner research, almost 300 billion mobile transactions worth US$930 billion were processed in 2013, By 2016 more than half of the world’s top 1000 companies will be storing sensitive customer data in the cloud”,” he said.
Grant added that Australian businesses have a “poor record” in resisting cyber-attacks.
Citing figures in the Ponemon Institute's 2013 Cost of Data Breach Study, he pointed out that during 2013 Australian companies had data breaches that resulted in the highest average number of compromised records per capita with 34,249 breaches recorded.
“Australia also ranked second after Germany, on the list of countries most likely to experience a data breach from malicious or criminal attack – the most costly breach category for companies,” said Grant.
Despite these threats, many businesses remain “dangerously complacent” about their exposures and continue to seriously under-invest in IT security, he said.
According to Grant, Australian companies allocate 1-2 per cent of their IT budget to security.
“We recommend a minimum spend of at least 2-7 per cent on IT security, depending on factors such as regulatory requirements and individual risk factors.”
Defending the cloud
According to Warrilow, encryption is not a “magic bullet” but a strong weapon to have in the cloud security arsenal.
“Don’t assume encryption is going to be everything,” he said. “It is going to be the focus of the legal testing and precedent whether the use of encryption can justify off-premise storage of data.”
Warrilow advised that IT managers need to work with business managers to make sure they are not making bad security decisions.
“Bring them [business managers] in and make it easy for them to work with you rather than without you. Ultimately we believe that IT management will be the broker of [IT] services. For the foreseeable future it is going to be the provider and the broker.”
Protiviti's Grant suggested that IT managers use a 'defence in depth approach' involving multiple IT security measures to protect assets.
“Because the source of a cyber-attack can be unpredictable, you need to be set up so if one security measure is infiltrated there are fall-backs that can continue to hold the fort,” he said.
“Those integrated measures must protect the business on all essential fronts. These include having robust server and application security which should include a clear policy for when it’s appropriate to use the cloud.”
Encryption can help ensure that communications between transacting parties are private and not able to be tampered with.
“Sound audit controls should also be implemented so that breaches or other unauthorised activities can be quickly detected. And lastly, payment processing and settlements need to be secure and compliant with the Payment Card Industry Security Standards [PCISS] which protect against credit card fraud.”
To cloud or not to cloud?
More than half the 145 Australian IT professionals surveyed by Gartner in December cited security and privacy in the public cloud as top concerns.
Of the 55 per cent who indicated security and privacy were top of mind when it came to cloud, 19 per cent said they were concerned about lack of visibility into who is accessing data and applications. 12 per cent of respondents said they had a lack of confidence in the cloud provider’s security capabilities, and 8 per cent said there was unclear liability if there is an attack or loss of data.
An additional 8 per cent said that clouds are attractive targets for hackers as they concentrate risk.
However, Warrilow said that many of these concerns are “emotive” and security managers who try to block the use of public cloud services without balancing business priorities are causing “missed opportunities” and potentially unnecessary security expenditures.
“Don’t let your security people scare you into missing opportunities Cloud security ecosystems such as cloud management platforms, security as a service, secure Web gateway and cloud access security brokers will address these issues,” he said.
Follow Hamish Barwick on Twitter: @HamishBarwick