Research from analyst firm Wikibon demonstrates that security has remained remarkably stable as the leading impediment to public cloud adoption. This is something I deal with constantly in my current role as CEO of my company’s new cloud division, where I spend much of my time working on the audits necessary to qualify for security certifications, speaking to analysts, etc. What I’ve found is that, while each organization has its own nuances, it’s clear where the market is headed. For simplicity, I’ve divided their requirements into four (somewhat arbitrary) categories: Data Handling, Mechanisms, Peace of Mind and Reporting.
While some organizations continue to store their most highly sensitive data on premise, this does not mean data stored in the cloud is not sensitive, nor does it give cloud providers an excuse to shirk responsibility for security. Indeed, many organizations rightfully demand that data they store in the cloud must be encrypted at rest (especially when hosted in a public cloud environment) with cryptographic key storage in a separate server or on premise. The cloud solution provider must also have strong policies regarding data management, retention, migration, deletion and communication standards. Proper processes regarding employee training, hiring and off-boarding, while not always top of mind for cloud providers thinking of security, are also critically important to ensure good governance.
Role-based access is the cornerstone of any security system and the cloud is no exception. Administrators need a system that allows them to assign permissions to staff based on their role with clearly demarcated rules regarding who has access to which information, who can make edits, etc. This often includes integration with Microsoft Active Directory and LDAP in order to support the authentication and authorization of all users and devices within a network. Most enterprises will also demand support for SSO tools like OpenID, Open Authorization (OAuth), SAML, Shibboleth and SSO servers.
Peace of Mind
Perhaps the most critical component of delivering enterprise peace of mind is in ensuring near-continuous uptime for mission-critical applications. Today, most enterprise SLAs specify 99.5% or higher uptime guaranteed by multiple layers of redundancy in data centers spread throughout the world. This also includes provisions for backup and recovery in case unforeseen disaster strikes, or situations where demand drastically increases due to factors such as seasonal marketing campaigns or the deployment of a new application. The system should be able to adapt itself to account for traffic jumps by scaling up and preventing the collapse of digital channels.
Enterprises will insist not just on access controls but also on accurate logs with detailed information on who accessed which systems and when, plus automated alerts in case abnormal behavior is detected or systems are compromised. In practice, this means cloud providers should be prepared to provide information regarding user session length (particularly by admin or privileged logins) and CPU and memory usage over time, among other metrics.
Cloud computing has become a major driver of growth for businesses, particularly in accelerating the development lifecycle and time to market for enterprise applications. While this is obviously a positive development, it also means more sensitive data is moving off premise and enterprises need to carefully evaluate the risks that entails, lest they end up among the legion of companies compromised in recent security breaches. In particular, businesses need to understand what security certifications their cloud providers have, what processes they have in place to ensure organizational data remains secure, their policies regarding the on-boarding and off-boarding of their own personnel and the granularity of the metrics they provide customers.
Don’t let any of this scare you! The cloud is a wondrous place full of business value but as with any other purchase, you owe it your organization and your customers to go in with clear-eyed understanding of the risk environment.