Security Considerations While Moving To The Cloud
It is always difficult to maintain in-house IT operations at the cutting edge of efficiency. Whether it is a question of getting enough budgets approved or keeping all stakeholders happy, life for technical managers is never easy.
On the other hand, clouds have certain inherent advantages. Big cost savings, convenience, scalability, conversion of CAPEX to OPEX are some of the features that go in favor of cloud solutions. These can help an organization accomplish a lot in a short span of time. Not to forget that cloud service providers do a phenomenal job in convincing businesses to offload at least part of their IT burden.
Amidst attractive marketing pitch it is likely that some of the security risks go un-noticed. Ignoring those risks may prove costly for business. While it is fine to go for cloud based solutions certain precautions must be taken.
Here is the list of considerations that organizations should apply before jumping on the bandwagon.
Know your security objectives
Most of the in-house IT setups have evolved over a period of time. Various security measures got added to the lists in an incremental fashion. Collective effect of all security measures is taken for granted when planning any new in-house system. But all those goodies will not be available in the cloud setup unless you explicitly ask for them. It is highly recommended that before opting for cloud solution, have your security objectives identified and documented. Never rely on an existing document that is several months old. It is always better to have an up-to-date document that captures security objectives and strategy clearly and comprehensively.
What does a service provider offer
Many cloud service providers are silent or vague about the kind of security they offer. Do not rely on marketing brochures which are generally meant to cater to a wide variety of customers. Explicitly ask your service provider about security policy document, practice manual, disaster recovery options applicable specifically to your subscription. Also check the security certifications the service provider has. Look for ISO 27001, SSAE 16, PCI DSS 2.0, HIPAA compliance and any other industry specific certifications. More number of updated certifications adds credibility to the provider.
Transition in phases
It is the old golden rule. Irrespective of the number of applications, size of databases or servers it is always better to structure them in logical phases and move them to cloud in stages. This will ensure that any surprises are discovered early in the cycle and risks are minimized.
Do a vulnerability assessment
Do not bank entirely on contract terms even after you have moved an application or domain to the cloud. Involve a third party to conduct a thorough vulnerability assessment before going live and find out any existing vulnerabilities. Fix those vulnerabilities and conduct another round of tests. Proceed with go-live only when the risk is within an acceptable range.
Maintain a parallel run
You must not wind up your existing in-house setup immediately after going live. It is the most reliable backup and recovery option you have got. Depending on the size of application and criticality the in-house setup can co-exist anywhere from few weeks to few months. Even after that you can continue to use that as an in-house backup. Unlike cloud backup, this backup would be available under your direct custody.
Buy Cyber security Insurance
Even after taking all the precautions in the book things can go wrong. Just one lapse is what hackers require before they can walk away with your sensitive data or carry out a DDOS attack or worse inflict downtime. Explore a suitable cyber security insurance option which can mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. This has to be over and above any safeguards in-built into the contract with cloud service provider.
Remember there are different types of cloud service providers – some are really good while others aren’t. Also, your organizations’ need are specific and even to date there is no one-size-fits-all solution. At the end of the day you are responsible for your data and it’s better to be safe than sorry.
By Manoj Tiwari