Cloud services have become so prevalent you’d think security is a reasonable expectation. However, a secure cloud is easier said than done. Many IT professionals, across various countries, are finding that keeping data and applications safe in remote places is challenging. That’s not because the cloud is insecure. Almost half of professionals in an Intel cloud security report said lacking cybersecurity skills swayed them from cloud adoption. Shadow IT and other factors, according to those in the field, are also making it tough to completely secure the cloud.
A lack of cybersecurity skills can impact cloud security. But it’s not only about not understanding encryption, authentication, and proper management of data stores. It is often unclear who owns encryption/decryption keys – sometimes it’s the vendor, other times it is the customer (which it should be). Therefore, read the fine print on the Service Level Agreement. It can tell you a lot before you even sign on the dotted line.
Shadow IT – An Inhibitor of Cloud Security
Shadow IT has become a practice at many workplaces. Employees who need to get the job done bypass the IT department to compensate for outdated software, lack of support, and complex policies. The hardware and software used on the network not supported by the core IT department constitute Shadow IT. Since IT is so consumerized, personal technologies used at work are part of it too. In any case, security risks arise when unsupported technologies are not included in the same security measures as those that are supported. In regards to the cloud, there are so many potential end points the phenomenon can get out of hand.
Cloud and Compliance
A lapse in compliance exists because there is no common standard in regards to data integrity. Many compliance standards were written when cloud computing was merely a vision. The existing standards for IT security and compliance need to be translated, but Software-as-a-Service complicates the compliance process because most customers don’t know exactly where their data is. It can be in a remote part of a provider’s network, or one owned by a partner of that provider. This is a challenge. Some regulations state certain data shouldn’t be mixed with other data, even on a shared server or the same database. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the industry standard PCI DSS present greater challenges for those migrating data to a cloud environment.
More Cloud Data Security Challenges
Many cloud customers are concerned about the lack of physical access to resources. The public cloud is especially a concern. Computing resources are shared with other organizations, and you don’t know where they are being managed, let alone have control over the data. If another company in the resource pool violates any laws, the government could seize your assets too. The physical access issue also extends to when deciding to switch vendors, and the new provider’s services are incompatible with your present resources and assets. Transporting services from one vendor to another can be a challenge, as is knowing if you’ll get the same level of security.
Data integrity should be maintained during transfer, storage, and retrieval. This is where the lack of a common standard is problematic. But another pervasive issue is the frequent additions and updates to hybrid cloud solutions, services, and applications. Even an update that changes the speed of the service will affect its security. Given there may be major changes made every few weeks, this can be a tough problem to mitigate; such short security cycles aren’t even supported by Microsoft’s systems development life cycle, making it really difficult to manage projects using cloud-based resources, at least in a secure manner. Constant upgrades can be cost- and time-consuming.
A lack of skills, standards, and controls have made it a challenge to make the cloud secure. Shadow IT has been an inhibitor as well. An IT department can address cloud security by working with providers to have control over major factors such as encryption. In a fast-paced, rapidly changing industry, cloud security is not a given, but you can take various measures to protect your data no matter where they reside.