Any discussion of Cloud security typically revolves around “end point” security and the mechanisms that are being put in place by Cloud vendors (such as encryption, user management redundancy, disaster recovery and business continuity) to ensure that the Cloud is secure. While this type of discussion is important, it reveals only half the picture. Security of organizational data is not merely a hardware/software issue or a compliance issue. It vitally concerns the organization, the very existence, competitiveness of the business. Security decisions must continue to vest with the organization—however sophisticated the software or hardware that is being provided by the Cloud backup vendor. These are but tools, which ensure security. But, they cannot replace security planning and policy.

Unfortunately, most organizations subscribing to the Cloud are quick to assume that security is the responsibility of the Cloud vendor. This belief may have something to do with the hype that surrounds Cloud security systems. Cloud vendors, out to prove that their Cloud is more secure than that of the competition, assure their customers that they have the best encryption systems, the best disaster recovery protocols in place, and so on. They emphasize on the unblemished data security records they hold. This hype distracts the attention and focuses it away from the core business imperatives of the organization—namely the need for policy driven security implementation.

Security is ultimately, the concern of the organization. It is the intellectual property of the enterprise that is at stake.  Data breaches will result in loss of reputation, loss of business, and expensive legal action. Mature organizations understand that Cloud services provide only the necessary security infrastructure (doors and windows) but, the security mechanism (locks, access rights, and keys) will have to be activated and maintained by the consuming organization. They may use IT control objectives and management governance frameworks, such as COBIT 5.0 to verify the security objectives of the Cloud vendor and determine whether the objectives are in synchronization with their own, but they will subject their Cloud vendor system and their own IT network to rigorous testing and evaluation to ensure security.

Enterprise security evaluation begins with the identification of end points. Major questions being: Who connects to the network? What are the devices that are used to connect to the network? What kinds of applications are used and for what purpose?  The answers to these questions will be unique for each organization. There can be no “one size fits all” answers to these questions.  There will be device risks and application risks. Each type of risk will have to be examined in depth. The security system must be built up with complete understanding and unceasing effort.