Seven fatal missteps when employing cloud computingAdvertisement
Adopting cloud computing in business work is a choice that many organization are attempting to make, in order to benefit from its automation, cost efficiency and data redundancy. However, one should not let his mind be clouded by these advantages to forget to look at the other side of this technology. Here are seven downsides of cloud computing regarding its security.
Failing to check IDs at the entrance
Many cloud services allow just anyone in the organization to sign up and log in to the cloud without integrating with enterprise identity management. This way, unguarded access can pass through, and people can touch data that should not be their business. And if the organization does nothing about ID checking, this will leave them vulnerable to data leakage, policy violations and risk the security of the entire cloud. Bottom line: the cloud is only secure if it is logged in via enterprise identity management systems.
Ignoring demands for (secure) APIs
Application programming interface (API) enables the cloud to bring internal services and capabilities to those who wish to access them. It is used to create valuable ecosystems based on internal piece and business information of companies. However, API keys, which allow developers to access API services, haven’t been paid enough attention in terms of security. For something that is compared to password, a lack of solid security plan will leave unfortunate consequences should these items are lost or stolen.
Not keeping sufficient independence from cloud providers
Cloud computing is a rather new technology, which is subject to changes and evolution every day. Thus, the best approach that cloud providers offer today may not be the best tomorrow. Trying to avoid a lock-in with a certain cloud provider is hence something should not be taken lightly. Companies can apply new standards efforts such as TOSCA and CAMP to ensure their flexibility in switching to new cloud approaches when their business needs to. By maintaining a fair independence from cloud vendor, it contributes to the overall resilience of the business.
Thinking you are outsourcing risk and accountability.
The cloud can be a place to contract out some of company’s infrastructure, but it’s not there for companies to outsource all risks, accountabilities and obligations of compliance. Cloud providers, therefore, are required to have certain level of transparency for risk models and enterprise strategies. This also suggests that some cloud providers may or may not be the appropriate choice for the company, because some are handier in risk assessment and management, and some are not. One thing to be certain: cloud providers cannot tend to your risks as much as you can.
Signing up cloud solutions without IT and security involvement
Many cloud- based services are made easy by not requiring users to have technical or IT knowledge to use them: Dropbox, Google Drive, etc. However, from the corporate viewpoint, applying cloud solutions without adequate IT knowledge or involvement can lead to conflicts with existing systems, configurations and applications, let alone many new issues regarding security, performance and troubleshooting.
“The risks and vulnerabilities they introduce can lead to significant costs in damages, systems failures, breaches and fines for noncompliance,” said Jerry Irvine, CIO of Prescient Solutions and member of the National Cyber Security Task Force.
To avoid such consequences, all cloud adoption must be put through risk assessments, internal policy and compliance checks before being introduced to the systems.
Overestimating cloud security
Steve Durbin, Global Executive Vice President, Information Security Forum notes that the advantages of cloud services often stray companies away from questioning how cloud providers ensure security across services and how to check that security.
The common assumption that many companies share is that cloud service providers, by default, have large and strong security policies and processes to cater to their many customers. However, the truth is not that beautiful. Cloud service providers in fact often deploy only basic level of in-house security, and rely on automated applications and platforms to handle the rest. They can also outsource this security work to third parties with more expertise and higher quality, but this outsourcing may not be mentioned in contracts and agreements between providers and customers. So, it’s the customer’s job to protect themselves by requiring their service provider to ensure specific security functions, record and report all security policies and activities.
Failing to understand the costs.
Cloud service providers often lure potential customers by only exhibiting basic and (often) cheap expenses. However, when customers take the bait, they are soon surrounded by unexpected costs for additional services, software licenses, etc. Expenses for security measures and compliance can also rise in the same manner. This happens because companies often think they would not have to use too many resources once the work is pushed onto the cloud.
“Depending on the type of cloud service being offered (SaaS, IaaS, PaaS), the number of resources required internally may not change at all. In fact, many of our clients who engage in cloud computing have no decrease in the internal IT department at all,” said Irvine.C