Grounded in the Cloud
cancel
Showing results for 
Search instead for 
Did you mean: 

Cloud Security Threats - Lack of due diligence when moving to the cloud

SimonLeech

This is the fourth blog in a series of 5 looking at some specific cloud security threats identified by the Cloud Security Alliance, available to download here. The other articles in the series can be accessed by searching the blog for the tag cloudsecthreats.

This time we will look at the idea of due diligence in moving to the cloud. The Cloud Security Alliance identified one of the security challenges of moving to the cloud as the lack of sufficient due diligence taking place before the move, and, whilst this is maybe not an obvious inclusion for a primary technical study, it is definitely an area that should be carefully examined.

The premise around this concern is that customers move data from highly available data centers within their own organization and geography, into cloud infrastructures that should also be highly available, and very elastic, but very often there is limited clarity as to exactly where data is residing, especially with some of the larger cloud service providers (CSP). Add to this the fact that whilst moving data and applications to the cloud gives you the opportunity to outsource the operations of your IT environment, you can never outsource your organizational risk – it’s up to you to decide what goes into the cloud, and whether it’s a risk that you can afford to take. Whilst every CSP will offer SLAs of some kind, it is worth looking at the small print to see how these compare across providers, and whether they are really enforceable in times of problems.

Amongst the many things to consider, it is definitely worth looking at the ideas of confidentiality, availability, and the impact of compliancy.

duediligence.JPG

Confidentiality: Before making a decision on whether a data set can reside in the cloud, it’s important to understand the classification of organizational assets. What would the impact to the business be should the data set inadvertently end up in the public realm? How would it damage the company’s reputation? There are various records management solutions that can help with this (for example HPE Verity), but more often than not organizations do not have a clear understanding of the importance of their data.

Once the data has been classified and the risk understood, there are various technical controls that can be used to protect the information – in some cases having adequate access control rules may be enough, whereas encryption solutions (for example HPE Security – Data Security range of products) may be deemed necessary for some critical customer data, and in other situations the organization may decide that the data is just far too critical to host outside of the four walls of the on-premise data center.

Availability: Availability is one of the main benefits of cloud based technologies – the ability to elastically scale based upon a workload’s requirements, and support accessibility to data on a 24/7 basis are definite plus points. But understanding the impact of non-availability is also key – how long can your business support a traditional application not having access to a cloud-based backend database? Can real-time applications deal with the latency introduced by the move to the cloud? How quickly can DRaaS get you back online? And what happens to your data if your CSP goes out of business? During the due diligence process these are all things that need to be considered and built into the business strategy and continuity planning policies.

Impact of compliancy: Regulatory compliancy is something that has been covered in detail by this blog in the past, for example here and here. From a due diligence perspective it’s important to understand what compliancy regulations are relevant for your business. Are you performing credit card transactions? Look at PCI. Maintaining US health data? HIPAA. Storing personal data from citizens in the EU? GDPR and the new EU-US Privacy Shield. And there are many others. Given that many regulations enforce sizeable monetary penalties for non-compliance, and will also hold company directors personally liable, it’s vital that an organization understands their compliancy requirements before embracing the cloud.

There are enough examples of cloud data leakage, data being lost as cloud based services go out of business, and executives going to jail to make a thorough due diligence process non-optional when moving to the cloud. At Hewlett Packard Enterprise we help customers understand the risks and benefits involved in moving into the cloud through a series of best practice-led transformation workshops. If you’re interested in how this could help your business, please click on the link.

  • HPE Cloud
0 Kudos
About the Author

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and Chief Technologist Security within the Hewlett Packard Enterprise EMEA Hybrid IT Team. Within Hewlett Packard Enterprise, Mr Leech is responsible for influencing and evangelising the security strategy of the Hybrid IT team. Simon is active on Twitter as @DigitalHeMan

Events
28-30 November
Madrid, Spain
Discover 2017 Madrid
Join us for Hewlett Packard Enterprise Discover 2017 Madrid, taking place 28-30 November at the Feria de Madrid Convention Center
Read more
See posts for dates
Online
HPE Webinars - 2017
Find out about this year's live broadcasts and on-demand webinars.
Read more
View all