Chances are if you are reading this article, you have already moved some, or perhaps most, of your IT infrastructure to the cloud. While most organizations spend lots of time, energy and money developing strategies for integrating their important data and workflow to the cloud, they usually don’t worry about security and risk management strategies until after the migration. In fact, many organizations assume that it’s okay to maintain their existing strategy they were using before the move. But you wouldn’t use renter’s insurance in a home you just bought, nor would you put diesel fuel in a new hybrid car. It’s not that renter’s insurance or diesel fuel are bad, but these tools no longer fit the environment in which they would be used. Security isn’t much different. Security and risk management solutions can vary, and the type of strategy you employ should change based on your current situation. In this article, we want to explore a few things to consider when moving to the Cloud. Just because someone new is responsible for hosting important technology, it doesn’t mean that you can put your head in the sand when it comes to security.
1. Make sure your Cloud partner is aware of the value and compliance standards for your data
If a data breach occurs, you are responsible for responding to the incident, whether that is to regulators or your clients or other third-parties who have a stake in the data you use on a daily basis. Many people I have talked to in the past say that a major motivating factor for moving their data assets to the cloud was the shift of technical responsibility for things like backups and disaster recovery away from themselves and onto the hosting provider. I suppose that’s true… to an extent. Ultimately, you have to put trust in whoever is hosting your data to act responsibly much like you would if you managed a group of servers in a network closet you control. But trust isn’t enough. The agreement you have with your cloud services provider is extremely important. What kinds of guarantees have they made for you? What kind of data retention strategy do they employ? Are they audited and certified for data center compliance standards? Do they explicitly detail their adherence to a specific standard for your data such as HIPAA compliance? Your organization won’t be looked at favorably if a breach happens and you failed to draw the lines of responsibility for management of data. Even worse, it could be seen as negligent if you have ignored these standards and continue to operate with a host that has not made proper assurances contractually.
2. Re-examine the flow of sensitive data
Some cloud solutions do some kind of “sync,” perhaps by bringing files down to your local PC. Others have you operate entirely in a workspace where your PC is simply a mouse, keyboard and monitor to manipulate data that lives elsewhere. And of course, it’s not uncommon that a decent cloud solution offers you a variety of ways to work. But now that you have invested in a cloud solution, you need to understand the channels of communication for sensitive data. If data does go up and down between the host and the PC, then you need to be certain that transmissions are secure and encrypted if in fact, the data is sensitive. If data stays on PCs for any amount of time, you may be required from a legal or regulatory perspective to encrypt the hard drives for data that is stored at rest. Also, how does your workflow change when you have to share data with third parties now that your hosts are no longer local servers? It’s important that these matters are discussed and revisited on a regular basis and as always that these security policies and procedures are communicated to staff.
3. Make sure that you have a support and maintenance plan for ALL devices connecting to the Cloud
As organizations move to the cloud, it often comes with one significant compromise when it comes to user rights and control, depending on the solution. Furthermore, organizations that move to the Cloud tend to adopt a more aggressive approach to “Bring Your Own Device,” and more personal devices tend to access company data assets in the cloud due to the flexibility it can often provide. Certainly, we encourage organizations to use all of the technology available to them to be as productive as possible. But we can’t allow convenience and productivity to overrule proper risk management. This starts with having a policy communicated to staff where all devices that access company data, not just company-owned, are accounted for. In the case of mobile devices, there have to be strong controls that allow the organization to have custody over their data, even if that employee moves on and takes their personal smartphone with them. Once all devices accessing data are accounted for, the organization needs to have a structured support plan that includes patch management, anti-virus/anti-malware, and other supplementary security products that fit their needs. Beyond PCs and smartphones, there are also more specialized network appliances that are designed to work alongside cloud hosts. It may be time for your organization to consider making changes with devices such as your local firewall even if your existing hardware is functional and supportable. You will also want to consider other factors like the methods in which you connect to your cloud host. What oversight is there for things like user logins or password management for authentication into the system? What kind of controls are being used to protect browsers and avoid phishing if users connect to the cloud that way?
4. Re-visit and edit Security Incident and Response policies
Proper behaviors and communication standards are still important when working in the cloud. Individual security issues isolated to individual PCs have different implications when working in an environment where the servers are located elsewhere. During a cloud migration, it will be important to review current policies, especially those related to security, before, during and after the cloud has been integrated into your workflow. Additionally, consider making periodic vulnerability assessments with a security professional a part of your overall risk management plan.
Conclusion
These items are just the tip of the iceberg. Like most items related to security, it is best to discuss your specific situation with your trusted IT advisor or other experienced experts.
About the Author: Ben Schmerler is a vCIO Consultant at DP Solutions, one of the most reputable IT managed service providers (MSP) in the Mid-Atlantic region. Ben works with his clients to develop a consistent strategy not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.