Why is cloud security important?
Cloud security, also known as cloud computing security, is a collection of security measures designed to protect cloud-based infrastructure, applications, and data. These measures ensure the authentication of users and devices, access control for data and resources, and protection of data privacy. They also support regulatory compliance.
Cloud security is critical since most organizations are already using cloud computing in one form or another. Gartner's recently reported that the worldwide market for public cloud services grew 17% in 2020, with software as a service (SaaS) remaining the largest market segment.
But as companies move more data and applications to the cloud, IT professionals remain concerned about security, governance, and compliance issues when their electronic data is stored in the cloud. They worry that highly sensitive business information and intellectual property may be exposed through accidental leaks or due to increasingly sophisticated cyber threats.
Maintaining a solid cloud security posture helps organizations achieve the now widely recognized benefits of cloud computing:
- Lower upfront costs
- Reduced ongoing operational and administrative expenses
- Ease of scaling
- Increased reliability and availability
- A whole new way of working
Is the cloud secure for my content?
As companies depend more on cloud storage and processing, CIOs and CISOs may have reservations about storing their content with a third party, apprehensive that abandoning the perimeter security model might mean giving up their only way of controlling access. This fear turns out to be unfounded.
Over the last decade, cloud service providers (CSPs) have matured in their security expertise and toolsets. They ensure boundaries between tenants are protected (so, for example, one customer cannot view data from another customer). They also implement procedures and technology that prevent their own employees from viewing customer data (typically, both encryption and company policy prevent workers from looking at data).
CSPs are acutely aware of the impact a single incident may have on their customers' finances and brand reputation, and they go to great lengths to secure data and applications. These providers hire experts, invest in technology, and consult with customers to help them understand cloud security.
Customers are beginning to accept the notion that their data is probably safer in the cloud than within the company's perimeter. According to a study by Oracle and KPMG, 72% of participating organizations now view the cloud as much more or somewhat more secure than what they can deliver on-premises themselves. The cloud offers centralized platforms that reduce the surface area of vulnerability and allows for security controls to be embedded consistently over multiple layers.
Data breaches do still occur. But upon closer inspection of the cases that have gone down in recent years, most of the breaches result from either a misunderstanding about the role the customers play in protecting their data or of customer misconfiguration of the cloud's security tools service provider. This fact is evident in the most recent annual Verizon Data Breach Investigations Report. This report describes the causes of 2,013 confirmed data breaches and makes virtually no mention of cloud service provider failure. Most of the breaches detailed in the Verizon report resulted from the use of stolen credentials.
To help avoid misunderstandings about the responsibilities between customers and providers regarding cloud security, industry analysts and cloud service providers have recently developed the Shared Responsibility Security Model (SRSM), a model that helps clarify where responsibilities lie for security.
Five things to look for when choosing a CSP
When it comes to CSP solutions that manage your content in the cloud, you need good vendors you can trust who prioritize security and compliance. Here are six things to look for in a cloud solution:
- Controls that prevent data leakage. Look for providers that have built-in controls that help prevent issues such as unauthorized access, accidental data leakage, and data theft.
- Strong authentication. Look for strong authentication measures to ensure proper access through strong password controls and multi-factor authentication (MFA). Multi-factor authentication should be supported for both internal and external users, and single sign-on (SSO) should be supported so users can log in once and have access to the tools they need.
- Data encryption. Make sure it's possible to have all data encrypted both at rest and in transit. Data is encrypted at rest using a symmetric key as it is written to storage. Data is encrypted in transit across wireless or wired networks by having it transported over a secure channel using TLS.
- Visibility and threat detection. Do administrators have one unified view of all user activity, and all internally and externally shared content? Does the provider use machine learning to determine unwanted behavior, identify threats, and alert your teams? These algorithms analyze usage to learn typical use patterns and then look for cases that fall outside those norms.
- Continuous compliance. Look for content lifecycle management capabilities, such as document retention and disposition, eDiscovery, and legal holds. Find out if the provider's service is independently audited and certified to meet the most challenging global standards. Do their services help you comply with regional or industry regulations, such as GDPR, CCPA, FINRA, HIPAA, PCI, GxP, and FedRAMP?