Cloud-based IT systems fulfill important functions in almost every modern industry. Companies, non-profits, governments, and even educational institutions use the cloud to expand market reach, analyze performance, manage human resources and offer improved services. Naturally, effective cloud security governance is essential for any entity that wants to reap the benefits of distributed IT.
Like every IT domain, cloud computing has unique security concerns. Although the very idea of keeping data safe in the cloud has long been considered an impossible contradiction, widespread industry practices reveal numerous techniques that deliver effective cloud security. As commercial cloud providers like Amazon AWS have demonstrated by maintaining FedRAMP compliance, effective cloud security is both achievable and practical in the real world.
Charting an Impactful Security Roadmap
No IT security project can function without a solid plan. Practices that involve the cloud must vary in accordance with the domains and implementations they seek to protect.
For instance, suppose a local government agency institutes a bring your own device, or BYOD, policy. It may have to enact different oversight controls than it would if it simply barred its employees from accessing the organizational network using their personal smartphones, laptops and tablets. Likewise, a company that wants to make its data more accessible to authorized users by storing it in the cloud will probably need to take different steps to monitor access than it would if it maintained its own databases and physical servers.
This isn’t to say, as some have suggested, that successfully keeping the cloud safe is any less probable than maintaining security on a private LAN. Experience has shown that the efficacy of different cloud security measures depends on how well they adhere to certain proven methodologies. For cloud products and services that employ government data and assets, these best practices are defined as part of the Federal Risk and Authorization Management Program, or FedRAMP.
What Is the Federal Risk and Authorization Management Program?
The Federal Risk and Authorization Management Program is an official process that federal agencies employ to judge the efficacy of cloud computing services and products. At its heart lie standards defined by the National Institute for Standards and Technology, or NIST, in various Special Publication, or SP, and Federal Information Processing Standard, or FIPS, documents. These standards focus on effective cloud-based protection.
The program provides guidelines for many common cloud security tasks. These include properly handling incidents, using forensic techniques to investigate breaches, planning contingencies to maintain resource availability and managing risks. The program also includes accreditation protocols for the Third Party Accreditation Organizations, or 3PAOs, that assess cloud implementations on a case-by-case basis. Maintaining 3PAO-certified compliance is a sure sign that an IT integrator or provider is prepared to keep information safe in the cloud.
Effective Security Practices
So just how do companies keep data safe with commercial cloud providers? While there are countless important techniques, a few are worthy of mention here:
Provider Verification
Strong working relationships are built on trust, but that good faith must originate somewhere. No matter how well-established a cloud provider is, it’s important that users authenticate their compliance and governance practices.
Government IT security standards typically incorporate auditing and scoring strategies. Checking up on your cloud provider’s past performance is a good way to discover whether they’re worthy of your future business. Individuals who hold .gov and .mil email addresses can also access FedRAMP Security Packages associated with different providers to corroborate their compliance claims.
Assume a Proactive Role
Although services like Amazon AWS and Microsoft Azure profess their adherence to established standards, comprehensive cloud safety takes more than one party. Depending on the cloud service package you purchase, you may have to direct your provider’s implementation of certain key features or advise them that they need to follow specific security procedures.
For instance, if you are a medical device manufacturer, laws like the Health Insurance Portability and Accountability Act, or HIPAA, may mandate that you take extra steps to safeguard consumer health data. These requirements often exist independently of what your provider must do to keep their Federal Risk and Authorization Management Program certification.
At a bare minimum, you’ll be solely accountable for maintaining security practices that cover your organizational interaction with cloud systems. For instance, you need to institute secure password policies for your staff and clients. Dropping the ball on your end can compromise even the most effective cloud security implementation, so assume responsibility now.
What you do with your cloud services ultimately impacts the efficacy of their security features. Your employees may engage in shadow IT practices, such as sharing documents via Skype or Gmail, for reasons of convenience, but these seemingly-innocuous acts could hinder your carefully-laid cloud protection plans. In addition to training staff how to use authorized services properly, you need to teach them how to avoid pitfalls involving unofficial data flows.
Understand the Terms of Your Cloud Service to Control Risk
Hosting your data on the cloud doesn’t necessarily grant you the same allowances you’d inherently have with self storage. Some providers retain the right to trawl your content so that they can serve ads or analyze your usage of their products. Others may need to access your information in the course of providing technical support.
In some instances, data exposure isn’t a huge problem. When you’re dealing with personally-identifiable consumer information or payment data, however, it’s easy to see how third-party access could prompt disaster.
It may be impossible to totally prevent all access to a remote system or database. Nonetheless, working with providers who release audit records and system-access logs keeps you in the know about whether your data is being maintained securely. Such knowledge goes a long way towards helping entities mitigate the negative impacts of any breaches that do occur.
Never Assume Security is a One-Time Affair
Most intelligent people change their personal passwords on a regular basis. Shouldn’t you be just as diligent about cloud-based IT security?
Regardless how often your provider’s compliance strategy dictates they conduct self audits, you need to define or adopt your own set of standards for routine assessments. If you’re also bound by compliance requirements, it would behoove you to enact a stringent regimen that ensures you can meet your obligations even if your cloud provider fails to do so consistently.
Creating Cloud Security Implementations that Work
Effective cloud security isn’t some mystical city that lies forever beyond the horizon. As a well-established process, it’s well within the reach of most IT service users and providers no matter which standards they conform to.
By adapting the practices outlined in this article to your purposes, it’s possible to achieve and maintain security standards that keep your data safe without drastically increasing operational overhead.
Image: SpinSys
Aira Bongco
I think it pays to be proactive. After all, too many people are just too trusting when it comes to cloud providers that they fail to even consider security.