The economics of cloud computing, and the public cloud in particular, are compelling enough that even large enterprises with substantial risk to manage are using the cloud to run applications and store corporate data.
This means that the data is outside the organization's conventional perimeter. It may be in cloud infrastructure managed by the enterprise, or it may be on systems managed by SaaS providers like Salesforce for CRM, Office 365 or Github.
So what are the risks? Broadly speaking, the big risk is losing control of your data, which can have devastating repercussions to your business.
Running in the public cloud means you are running on systems with other cloud tenants under control of software owned and operated not by you, but by the cloud provider. Even though the cloud provider has secure infrastructure, you bear the primary responsibility for protecting your own data.
The growth of the cloud is also a concurrent and a contributing factor in the growth of mobile computing. Historically, cloud and mobile have been consumer-driven; security got lots of lip service but was certainly not the highest priority. Users just wanted to use all those cool apps to get their work done, and they'd go around the IT department if they had to.
For enterprises, security has to be the highest priority for storing confidential data in the cloud, and it can be done securely if you follow best practices. Among the measures you must take:
- Secure your data in transit: Ensure that your data is physically secure (this is the cloud provider's job) and that all connections to the cloud are secure. This means all web connections use HTTPS conforming to the most current cryptography standards.
- Secure your data at rest: You must make careful use of Identity and Access Management to ensure that only the intended users have access to restricted data. Use application-level facilities, such as folder permissions in Microsoft Office 365 OneDrive, to enforce the same permissions.
- Monitor your users and their activity: Employ an SSO (Single Sign-On) system to control user access to cloud resources. Log all activity and analyze the logs for anomalous behavior, such as the same user logging in from California and China in the same time frame. It is also wise to set up periodic reporting on usage patterns to spot anomalous activity and exposure of sensitive data, as well as to track usage trends to help refine operational processes.
- Ensure that corporate endpoints are secure: Use security software and devices on both endpoints and the networks to which they connect in order to block malware and prevent the use of stolen credentials.
Yes, you can protect your assets in the cloud just as well as on your own hardware and software in your own data center. Cloud providers have already put substantial investments in many of the aspects of security you need, such as the physical and connectivity aspects. But for IaaS, the parts that are not virtualized - the operating system, the data management, the communications with the outside world - are your responsibility. Even for SaaS, you need to manage most aspects of data security.
Cloud security providers give you a comprehensive suite of tools at a more affordable price than you are likely to have on your own. Do it right, and it doesn't matter who owns the infrastructure, because you retain all the control.