Cloudy With a Chance of Data Breaches?

Adam BooneBy Adam Boone

It happens all the time: A company is moving to adopt the cloud, but someone in the security team starts raining on the parade.

How will you secure the traffic moving into the cloud environment? How will you ensure sensitive data is kept in control and properly encrypted while it is in the cloud?

These are good questions. With the continuing drumbeat about high-profile data breaches making headlines every day, it’s no wonder that security questions might dampen enthusiasm for a new approach to IT like the cloud.

Surveys of IT managers have found that concern over information security is a frequently cited reason that companies delay or slow adoption of cloud services. If you are selling cloud services to enterprise customers, you might have already encountered security questions related to data encryption, access control and auditing and reporting options.

But suppliers of cloud, telecom and IT solutions can actually turn security questions into strong selling points if they follow a few simple rules of thumb for security planning. There’s nothing exotic or inherently risky about the cloud when compared to the huge mix of other IT systems, applications, new devices or services being deployed in the typical enterprise IT environment. It’s simply a matter of looking at cloud services from a security practitioner’s point of view.

First, you should make sure that security questions are out on the table early in the discussion and evaluation of a proposed cloud service. Even though the cloud offering is usually a managed service, many of the security questions an IT manager will raise will sound more like those you would ask when evaluating an enterprise application. So those questions should be considered as early as possible in the process. What sort of data will be used with the cloud applications? Will it be moved, processed or stored in the cloud? How will it be protected when it is moved, processed or stored?

Second, you should evaluate cloud security using the “CIA Triad.” In this case, CIA stands for “Confidentiality, Integrity, and Availability” and it is the framework that security practitioners use for evaluating information security.  It can be used like this:

  • Confidentiality: How is the enterprise data to be kept confidential? Will it be encrypted when it is moving to or in the cloud? Will the enterprise itself control the encryption keys?
  • Integrity: How can you ensure that the data is not compromised or tampered with while in the cloud? Are there ways to prevent man-in-the-middle attacks or otherwise verify that data is not being modified?
  • Availability: How can you ensure that cloud-based data will be available when it is needed? How will you prevent denial-of-service attacks or vulnerabilities that lead to data access failures?

The great news is that there are solid, proven answers to these and the other security questions that may arise as enterprises consider adopting the cloud. A straightforward, early exploration of these issues will help your IT weather forecast be “Cloudy with zero chance of data breaches.”

Adam Boone is chief marketing officer of Certes Networks, a provider of IT security products that protect sensitive data in enterprise IT, cloud and mobile device deployments. He previously held positions at Sipera Systems, Subex, Syndesis, CoManage, FORE Systems and Marconi.
Twitter: @aboone20

Leave a comment

Your email address will not be published. Required fields are marked *

The ID is: 92017