There is no “if” about the adoption of cloud computing anymore! It is rather the “when” that dominates the enterprise scene. But, accelerating cloud adoption is not reducing security fears of the pioneers, followers or stragglers. This is because; most security officers in enterprises are projecting their own internal security weaknesses on to the cloud. They are transferring their own inability to handle governance, risk management and regulatory compliance to the cloud platform in the hope that solutions will be found for them by the experts who anchor the cloud. This is an unhealthy practice that must be curbed. There are plenty of cloud risks without enterprises adding their deficient security practices to the burden.
Transitioning to the cloud demands the formulation of a comprehensive cloud strategy. This is especially true for industries that have to comply with regulations such as HIPAA, SOX or PCI. This point of highest risk is the point of access. The more privileged the user, the greater the access to sensitive systems and hence, the greater the vulnerability. The CEO, CFO or head of HR are often the targets of “whaling attacks”. They have the power to veto security controls that they do not like and may refuse to knuckle under any blanket bans on risky devices such laptops, mobile phones, smart phones. Security officers may have to establish security, by establishing elaborate authentication, access controls and identity enforcement protocols.
This first step will unravel a security roadmap for the enterprise. The transition to the cloud can be orchestrated by getting the cloud provider to conform to internal security controls. Thereafter, it is a simple step forward. Move the data center to the third party vendor slowly and deliberately, understanding security risks and dealing with them every step of the way. The data should be shifted only after the security mapping is complete.
But, it is important to remember that post-migratory complacency is dangerous. Constant vigilance is a must. Enterprises must not take the cloud vendor’s word at face value, when it comes to security. CIO’s and security officers must evaluate the cloud vendor’s governance and infrastructure, security policies and practices and question the methodologies for enforcement of the policies. This is just the start of an exercise that must continue throughout the life cycle of the enterprise relationship with their data and with those who are selected to handle the data.