Administering and maintaining IT in-house can consume a significant portion of resources, especially for small and medium sized businesses, which typically operate with smaller budgets. No surprise that cloud computing continues to grow, with no end in sight. With cloud computing, SMBs do not have to worry about concerns such as the impending Microsoft Server 2003 end of support deadline. Despite the cost advantages though, migrating to cloud solutions introduces security concerns.
In a 2014 IT study by Vormetric, professionals indicated that their top concerns with cloud solutions included lack of control over data location, potential for third party access, and lack of visibility on the part of the service provider. While there may always be concerns associated with the cloud, we offer the following strategies to assuage those worries.
Cloud Computing Models
Before delving into best practices for mitigating security threats, let’s get familiar with the three cloud computing models.
Software as a Service (SaaS) – A very common cloud compute model in which users subscribe to applications hosted by a provider. Examples of SaaS include Facebook, Google Drive, and Adobe Marketing Cloud. A common security threat to SaaS services includes theft of user logins and passwords.
Platform as a Service (PaaS) – Geared more towards developers and programmers, PaaS typically does not involve ready-to-go applications. Instead, the provider rents the platform and hardware required by developers. Examples of PaaS include GoDaddy, Windows Azure, or Google App Engine. Similar to SaaS, and really all cloud compute models, security issues with PaaS involve authentication and unwanted access.
Infrastructure as a Service (IaaS) – In the IaaS model, infrastructure such as physical and virtual machines, firewalls, and VPN are provided. Two examples of the IaaS model are Rackspace and Amazon EC2. With IaaS solutions, security risks you should watch for include non-compliance with industry-standard regulations and inadequate data protection.
Security Concerns and Risk Mitigation Strategies
When utilizing a cloud computing solution, follow the strategies below to minimize security risks.
- Do your due diligence when researching a cloud solution. As with most things, it begins with the first step. Your company is moving several of its hardware and software solutions to the cloud. Whether IaaS, PaaS, or IaaS, you need to research your potential vendors thoroughly. This includes examining the vendor’s security history, checking for references, checking for known security vulnerabilities, and ensuring your contract with them includes proactive security practices on their end.
- Utilize a Single Sign-on (SSO) solution to add security (and convenience). Depending on the size of your organization, you could be creating many user accounts for several different cloud services. One user could have several login accounts and passwords, which makes it more complicated for both the user and administrator. For the administrators, there are fewer accounts to create and delete as users enter and leave the organization. For users, there are fewer user names and passwords to write down or forget. By downsizing to a single sign-on environment, you reduce the number of potential security weaknesses.
- Work with a third party to assure cloud security on a regular basis. Generally, having multiple parties increases security risks. However, small and medium businesses without large IT departments sometimes need assistance to audit and ensure cloud security. For some industries, this assistance comes in the form of industry-standard security certification. You should utilize third-party audits to ensure that your cloud provider is following your industry’s standards of security.
- Implement end-to-end encryption. End-to-end encryption, particularly for cloud storage, decreases the likelihood of your data being breached. Most cloud storage solutions have encrypted data upload and downloads, but not store the data encrypted. The method with the least amount of risk requires your data to be encrypted prior to upload, while it is in provider’s datacenter, and is only decrypted with a required encryption key.
- Regularly update your in-house software. Do not neglect your end when moving to the cloud. If you are running outdated operating systems such as Windows XP and outdated internet browse such as IE 7, you could be at risk despite encryption and third party audits.
Mitigating cloud computing risks should be a priority for any organization that wants to move away from in-house hardware and applications. What are you doing to protect your data and remote assets?