07/12/16 | Security
People, Process and Technology in Cloud Security
There has been much written about the transformation occurring with the use of cloud technology. Words such as “revolutionary”, “game-changing” and “democratisation of technology” have all been used.
We live in a time where creation and access to data drives our commerce. However, negative elements of our society are willing to steal data in order to profit from the work of others. Loss of control of data could lead to identity theft, privacy or reputation loss, regulatory restrictions and fines.
Many large and small companies have taken advantages of moving to cloud technologies. A common misconception is that in doing so they eliminate all responsibility of the users and provide complete security. Often we hear “that’s in the cloud” as if to mean that users’ worries are at an end.
But are they?
People, Process, Technology – these three terms should be considered together when considering significant transformations but are often not. With the use of cloud, transforming technology is fairly easy. Transforming people and process is not as easy.
People – We are creatures of habit and simplicity. For example, when we access sites or networks (almost anything online), we prefer to have simple access that does not change. This is why many of us use the same password for several locations. Also, many of us do not change our passwords every 90 days as suggested. That would require us to change a multitude of passwords and many of them require complexity and length.
A simple solution may be the use of “password keepers”. There are a number of them available. But even having a tool available does not mean that they will be used. We need to practice using them. With practice, our habits can be used to create greater security.
Awareness of potential risks also needs to be instilled in our daily activities. How many of us can recognise a fake or “phishing” email? (See poster from Security Central) Even if you recognise it as a phishing email, do you know what to do? As much as we can save money with changes to technology, further savings can be realised with basic education. These savings can be realised when not having to implement emergency processes and forgo normal business operations.
Process – Location and maintenance of systems may be located in a cloud infrastructure. This does not mean that your own processes are eliminated. These may need to be adjusted. For example, the cloud infrastructure may have a maintenance or downtime schedule. Your operations may need to be adjusted for this schedule. Also, changes to cloud infrastructure may affect your operations. This could require additional testing on your part.
You may be creating content at your location and may have backup offsite. Your backup will need to be refreshed periodically to maintain the latest version. A weekly or daily backup may not be sufficient. Also, it is a good idea to test your backups periodically to ensure that you have a working copy.
Something else to think about regarding the location of your content. Cloud infrastructure may not be located in your country. They may not even be in your geographic region. This may mean that there are additional jurisdictional requirements that have to be considered. Consider this if your content contains intellectual property, personally identifiable data or health information.
Source: Cloud Security Alliance 2011
In conclusion, cloud technologies can and do make non-core operations faster and easier. However it is not enough to simply put operations into a cloud infrastructure and walk away. Additional review of both internal and external operations may be required. Such considerations are noted in chapter 20 of Cloud Security Ecosystem and I encourage all business to ensure they not only take the time to read this, but to also assess whether they are taking a security conscious approach to the use of cloud technology.