Since its inception, cloud computing has had the reputation of being high-risk when it comes to information security — and, according to a new study, that's still a problem. Enterprises looking to the cloud as a way to increase their agility or cut costs should be aware of these issues; in addition, CISOs have to understand the methods at their disposal that enable them to mitigate risk to data that's stored or processed in the cloud.
Security and the Cloud
Forbes' report on a new study highlights alarming cloud computing security trends in the health-care industry.
The study looked at cloud services currently used by health-care providers, grading them based on 54 security criteria. The results show that just over 13 percent are considered high-risk, and an astounding 77 percent are considered medium-risk — leaving less than 10 percent of cloud services with an acceptable level of security. It also sheds new light on the cloud's prevalence: An average of 944 cloud services and 118 collaborative services are used across all sectors; in addition, 53 percent of employees use three or more devices for business purposes, greatly increasing the number of potential access points for hackers.
As eye-opening as these numbers are, this is happening just within the tightly regulated health-care field — you can expect things to be even worse when looking at the business world as a whole. Remember, too, that the study focused solely on the deficiencies of cloud providers, which is really just half of the problem. Even if a cloud provider is secure, an application that isn't developed and tested properly can be just as damaging and embarrassing for the company.
The Two-Pronged Approach to Enterprise Security
CISOs have to approach the issues regarding cloud computing security in two ways: one focusing on cloud services, and the other on developed applications.
To effectively manage cloud services, start with a comprehensive audit of cloud providers. IT managers should already be doing these audits as part of their due diligence, but it's important that CISOs and other information-security personnel take a role in this process to ensure that any potential vendor offers basic security measures, like encrypted data at rest and two-factor authentication.
Once a vendor's security measures are considered adequate, CISOs should look internally to their enterprises' new and existing applications, a process that's more complicated when the cloud is involved. Cloud computing allows for the rapid development and release of applications, especially when development adopts an Agile methodology, which means it's imperative that firms integrate application testing into their Software Development Life Cycles. CISOs must begin with a discovery process (which is usually a little surprising in enterprise cloud environments), along with an audit of all development teams, their respective apps and their release cycles. With a complete development map in place, enterprises can begin integrating in-development testing to ensure that new apps are secure when they're released.
All existing cloud-based applications, which should also be mapped in the discovery process, have to be scanned for vulnerabilities without grinding IT to a halt in the process. Parallel scanning for known vulnerabilities, such as the OWASP Top 10, will provide valuable insight into the apps' overall strength. And critical apps should undergo deep scans so enterprises can see a more comprehensive view of all potential vulnerabilities. CISOs should consider cloud-based solutions for these scans, as a cloud-security vendor is likely to understand the cloud better than a legacy solution, and the scan itself remains lightweight enough to test an entire catalog of apps.
Finally, when working in cloud environments, CISOs have to understand the risks inherent to third-party and open-source software — for example, such software can have vulnerabilities that are difficult to catch in runtime, and source code isn't always available. Avoid those issues by using security solutions that scan binary code. Often presented as part of a larger package, these solutions leave most of the remediation and mitigation legwork to security vendors, freeing up enterprise IT resources for other pressing tasks.
Even as the cloud becomes more secure, cloud vendors looking to cut costs by cutting corners will continue to give their industry a bad rep. Enterprise information-security leaders can't always control which cloud vendors are used, but they can ensure their applications are as secure as possible for deployment in the cloud, giving their businesses a significant leg up over the competition.
Photo Source: Flickr