A security researcher recently discovered an unprotected cloud server. These are common these days, but sometimes the unprotected system has sensitive data. In this case, the server exposes sensitive personal data of about 85 percent of Panama’s citizens. How does this kind of thing occur?
Cloud computing has been around for several years now. Most organizations have gained some level of experience with it in various ways. Cyber security risk is a reason often cited for not pursuing cloud computing for more mission critical needs. While this is important, there tends to be too much focus on the cloud provider at the expense of implementing sufficient controls up front in the design.
When it Comes to Risk Assessment & the Cloud: Some Rules Don’t Change
Security controls don’t change. They are the same in the cloud or in your data center. The main difference is how they are implemented and who is responsible for them. Obtaining and maintaining an understanding of the control environment is the foundation of the cloud security plan. Once controls are defined you can calculate the residual cyber risk in the environment.
Those who say “I’m fine” or “that breach could never happen to us” often use gut feel as a guide. They have not often gone through the process to really understand the risk. If they have, it is not enough to understand the risk at the beginning. Maintaining this understanding is also very important and sometimes the more difficult thing to do.
When You Need to Adjust Your Security for Cloud Processes & Platforms
Cloud providers constantly update their services with new capabilities or features. Those using these services may put different kinds of data out there with more (or less) sensitivity. As a result of this, good security plans have to keep up with this change. Controls change. People change. Companies change. Security needs to adapt.
You may ask – how can you keep up? Things change too fast! This is why it is so important to have a cloud strategy which includes a strong cyber security approach. An efficient process for documenting controls and risk is important. It takes some work, but once it is developed it can be used for all cloud deployments. Controls may change, but you’ll get more efficient.
Key Takeaways for Businesses
Cyber security risks can be too high for some. It is important though not to dismiss a solution based on a cyber security risk if an understanding of that risk is not accurate. Cloud solutions can offer a way to propel your company ahead of the competition. You’ll want to spend the time to have a cloud strategy and implementation architecture. Make sure a full consideration of security is built into the process from start to finish. Know how you’ll grow and change with the provider.
Whether it’s a researcher or a malicious actor, people are probing your defenses. Sometimes just one oversight can make all the difference. If you’ve done your homework, make sure the cloud provider does its part. Ensure there are ways in the services contract or service level agreements to know what the provider is doing. If done properly, you’ll have a picture of both sides of the street. Cloud computing will then become something to embrace and use without fear.