Cloud computing has shaped the way businesses view and manage data - so much so that cloud computing terminology is ingrained into everyday business vernacular. For instance, cloud storage applications are often used as a seamless way of collaborating on, and managing key data sets in an efficient and cost-effective way. But as business leaders and technology analysts look to the future of cloud software implementation on an enterprise level, there is still a growing concern over security. In fact, security has always been the primary criticism of cloud technology.
Without the facts it’s easy to assume that cloud security has evolved in such a way that these concerns have subsided entirely. While it is true that cloud security has dramatically improved in re-cent years – this still doesn’t represent the big picture. The reality is that even as organizations migrate their data to cloud-based solu-tions, it is incredibly difficult to measure and evaluate the security of a particular cloud application, especially if you don’t know what to look for.
As for cloud growth, according to a recent Forbes article, The
Poneman Institute conducted a study of over 4,200 business and IT managers. The study revealed that enterprise cloud adoption has grown by roughly 10% from 2012. Another Poneman survey given to nearly 800 IT professionals revealed that most organizations are not taking the proper precautions when moving their sensitive data to the cloud. The survey also indicated that roughly 54% of all re-spondents experienced five major data breaches that involved theft or data loss from a mobile device.
Both of these studies reveal two sides of the same coin. On one side, cloud computing - particularly cloud storage - is drastically changing how organizations are managing and housing data. On the other side is the reality that while more enterprise data is being managed in the cloud, it is becoming more susceptible to major data vulnerabilities.
In this whitepaper we will unpack eight essential components of cloud security, and how each organization should use this crite-ria to heavily scrutinize cloud applications before adopting them. It’s important to note that while this whitepaper provides a solid
“most organizations
are not taking the
proper precautions
when moving their
sensitive data to the
cloud”
II. The Security Checklist
1. SSL Encryption
While cloud security is not a one-size-fits-all solution for every organization out there, SSL Encryption should be a non-nego-tiable component of every cloud application an organization evaluates. To the untrained eye, SSL encryption seems like an outdated and archaic approach to data security when compared to a groundbreaking technology like cloud computing. However, it still remains one of the most effective ways to ensure data re-mains secure in the cloud. Essentially, SSL Encryption technology prevents unauthorized users from viewing and/or accessing data within a cloud system.
Originally developed by Netscape, SSL Encryption uses a public key infrastructure. This means that when a file is uploaded into a cloud server, the file in question is encrypted with a public key. From there the file is deciphered with a private key. This ensures that only the file owners can view the data. In other words, all files are encrypted in both the downloading and uploading pro-cess.
From here it’s tempting to assume that all SSL Encryption solu-tions are created equal. In fact, the opposite is actually true. There is certain criteria that every SSL and Certificate Authority (CA) should meet. For instance, SSLs should use independent-ly verified CAs. This means the CA should support at least AES 128-bit encryption, but preferably should support 256-bit data encryption based on the 2028-bit global root system.
2. Uptime
Downtime is a major concern for any organization migrating data into the cloud. According to a 2012 survey by the Seagate cloud storage subsidiary Evault, roughly 54% of all IT depart-ments experienced major data loss from downtime in the pre-ceding 12 months. While downtime instances have improved, downtime still remains one of the main issues surrounding full-scale cloud adoption.
“
54% of all IT
departments
experi-enced major data loss
from downtime in the
preceding 12 months
”
For better or worse, a cloud application is only as effective as its hosting provider. The cloud provider should be able to almost guarantee at least 99.9% uptime. Anything less than that is not worth the investment. Downtime is costly, not just for the cloud provider, but for any organization implementing the cloud appli-cation. Depending on the scope of the cloud application and the size of the adopting organization, downtime can cost upwards of hundreds of thousands of dollars per hour.
3. Regular Backups & Disaster Recovery
For any organization migrating massive amounts of data to a cloud provider, regular and automated backups are essential. At a bare minimum, a quality cloud provider should provide backups and data snapshots on a daily basis. Data loss due to faulty backup methods is a major area concern for enterprise organizations migrating to the cloud. A cloud provider’s backup technology should work in harmony with any future or existing disaster recovery plan set in place.
Failover and Disaster Recovery should be deeply integrated into any cloud solution. In other words, a disaster recovery plan should be in place from day one to deal with any unforeseen disaster - natural or man made. This means that the cloud pro-vider in question should have a clear plan for recovering and restoring lost data quickly and effectively. This often involves having trusted and verified backup vendors, as well as a clear path for quick response times to a data-related crisis.
4. Internal Audits
While not at the very top of the security list, Internal Audits are incredibly important to establishing secure cloud applications. This involves regularly auditing internal business processes, as well as accreditation (SSAE16 and SAS70, for example) and certifications of cloud applications. Additionally, a quality cloud provider should be certified under industry-accepted ISO 27001, SOC1/2 and PCI Level 1 certifications.
The bottom line is that having an audit trail in place, accounting for all user activity, mitigates risk - especially if you’re in the
mid-“
a quality cloud
provider should
pro-vide backups and data
snapshots on a daily
basis
”
dle of a deal. It documents who has access to specific data sets. Beyond deal management, internal audits provide an added layer of operational efficiency. It allows every administrative user to view every user’s activity within the cloud application. It aids in project management by showing who is working on a specific project, and who is interested in a specific deal.
5. Strong Password Policy
One of the easiest and most effective ways to manage cloud security is through a robust password policy. This is primarily carried out on the software level. In other words, strong
password policy should be encouraged and easily implemented within the cloud application. For instance, on the software side of things there should be some visual indicators of a weak, strong or passable password within the application. Any
valuable cloud provider will have a strong password policy built into their applications.
6. Activity Tracking
Robust reporting is essential to managing and implementing security measures throughout a cloud-based system. Ensure that there reports are easy to create and access in a way the leaves a clear audit trail of all cloud-based processes and tools. In basic terms, everything should be trackable within a quality cloud solution.
Reporting should work in tandem with any internal audits that are conducted. In fact, as data becomes increasingly larger and more complex in the cloud, every process within an application should be tracked. Not only does activity tracking the internal audit process along, but it aids in project management, as it allows every administrative user access to critical information on data essential to closing all kinds of transactions in the cloud. 7. Administrative Control
Any organization should have deep administrative control over any cloud application they integrate. This generally means that it
“
everything should
be trackable within a
quality cloud
is easy to manage administrative accounts in a way that ensures the IT department knows exactly who has access to mission-crit-ical data in the cloud. From here, modifying user controls should be quick and easy.
8. Avoid Java & Flash-based Cloud Applications
Lastly, avoid any cloud solution that is based on Java or Flash. First off, Java and Flash are inherently incompatible with iOS devices, which dramatically limits any organization’s ability to mobilize their cloud-based data management efforts. Secondly, both Java and Flash bog down browsers, and generally require that users download endless plugins to remain compatible. Lastly, Java poses major security risks. According to a recent NBC article, Java-designed applications were responsible for well over 50% of all cyber attacks in 2012.
III. Conclusion
For many organizations, when considering all the security risks, moving data to the cloud is a scary prospect. The good news is that it does not have to be that way. Cloud applications are designed to make life easier for any organization. It all comes down to preparation for adopting a new cloud application. If the cloud application meets all of the above criteria it is definitely worth the investment. Caplinked is at the forefront of the robust cloud security movement. With Capsafe Security, all cloud-based data is backed up and protected with cutting edge security and encryption technologies. References: https://blog.cloudsecurityalliance.org/2011/09/30/when-it-comes-to-cloud-security-don%E2%80%99t-forget-ssl/ http://www.forbes.com/sites/joemckendrick/2013/06/29/enterprises-security-practices-not-keep-ing-pace-with-cloud-growth-studies-find/ http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755 http://use.caplinked.com/security/
