Recent problems experienced with Ransomware are evident from infections, which have occurred in 99 countries including China and Russia. The organization that was worst hit by the attack was the National Health Service in England. It was reported that there was a WannaCry programme that demanded...

Five Cloud Security Tips


Cloud Security Tips

Cloud computing has created a new model that offers the possibility of elastic and flexible computing environments for software, infrastructure, and development platforms with reduced costs and quicker time to value than traditional in-house solutions. So with these benefits in mind, you might wonder why everyone isn’t riding the cloud wave. The main impediment to cloud growth continues to be that of security concerns covering a broad spectrum of issues, including:

  • risk and audit posture of the cloud provider;
  • proliferation of data within the cloud;
  • lack of control.

Perceived security challenges aside, it’s certainly possible to enjoy the benefits of cloud while actively managing the associated risks. To this end, we offer the following tips and advice to readers considering a cloud computing solution:

  • Think strategically: Not all workloads are created equal; careful consideration must be given to each workload before determining its appropriateness for movement into the cloud. Organizations must understand the governance and security requirements for each proposed workload and then validate whether or not they can be met within the cloud environment. It is only through this selective evaluation process that you can help avoid audit exposure and control the proliferation of data, which may be subject to a variety of differing controls and residency requirements.
  • Establish clearly defined roles and responsibilities: When adopting public and hybrid cloud solutions, the relationship between consumer and service provider most closely resemble that of a traditional IT outsourcing arrangement. As such, it is critical that each party has a clear understanding of their unique security obligations. For example, responsibility for securing software as a service offerings is largely the responsibility of the service provider because the solution is consumed as a packaged static application. On the other end of the spectrum is infrastructure as a service which exposes users to a greater responsibility for securing individual virtual machines.
  • Have a backup plan: Most public and private cloud solutions trade direct control for cost savings and efficiencies derived from the cloud’s economies of scale. Transferring control of specific IT functions to another party does not fully obviate responsibility for availability of key workloads. Organizations must consider the provider’s disaster recovery and restoration plans in the context of their specific needs, keeping in mind requirements for service availability, data backup, data residency, etc.
  • Establish metrics and test regularly: Reputable cloud providers should offer a variety of Service Level Agreements (SLAs) that might include metrics such as: availability, outage notification, service restoration, average time to resolve, notification of breaches, etc. Cloud providers should proactively report on SLA compliance and deliver agreed-upon remedies.

Organizations should also test the metrics and security protocols that the cloud provider has committed to deliver. This might include performing audits, assessments, and even penetration tests to ensure effectiveness. It’s critical to remember that maintaining a strong security posture is a continual process that doesn’t end at the borders of your network; it ends wherever your data resides.

  • Don’t forget the basics: All too often organizations spend time and money developing security strategies that employ the latest (and most expensive) technical controls while turning a blind eye towards the basics of risk assessment, policy development / enforcement, and continuous validation of established and required controls. A quick look at many of the security issues of 2011 reveal some consistent themes:

– breaches and outdated vulnerabilities go hand in hand;
– poor management and enforcement of policy contribute to making that possible;
– breaches are most damaging when organizations don’t understand their risk posture.

These security basics apply equally to cloud environments as they do to local and partner networks. It is the responsibility of your organization to ensure that security policies cover standards and controls for outsourced environments, and it must become common practice to follow-up with providers regularly to assess changes.

Organizations should not shy away from cloud computing because of security and compliance concerns. Instead, they should look at cloud as a strategic way to bring the benefits of new technology to bear, and take the time and effort necessary to do so in a controlled manner. With careful planning and appropriate due diligence, we believe that some purpose-built cloud environments can be more secure than their local, single tenant counterparts.

By Jason Hilling – Manager, Strategy and Enablement, IBM Security Services

About CloudTweaks

Established in 2009, CloudTweaks is recognized as one of the leading authorities in cloud connected technology information and services.

We embrace and instill thought leadership insights, relevant and timely news related stories, unbiased benchmark reporting as well as technology related infographics and comics.


(ISC)2 and Cloud Security Alliance Host Cloud Security Summit to Help Cybersecurity Pros Securely Harness Cloud Technologies

By CloudBuzz | September 22, 2017

(ISC)2 and Cloud Security Alliance Host Cloud Security Summit Research cites strengthening of cloud security skills top priority over next three years CLEARWATER, Fla. ,Sept. 22, 2017 /PRNewswire-USNewswire/ — (ISC)² today announced it’s partnering with the Cloud Security Alliance (CSA) for the CSA…

Exclusive: T-Mobile, Sprint close to agreeing deal terms – Sources

By CloudBuzz | September 22, 2017

(Reuters) – T-Mobile US Inc (TMUS.O) is close to agreeing tentative terms on a deal to merge with peer Sprint Corp (S.N), people familiar with the matter said, a major breakthrough in efforts to merge the third and fourth largest…

Hack of U.S. securities regulator rattles investors, stirs doubts

By CloudBuzz | September 21, 2017

WASHINGTON/NEW YORK (Reuters) – Wall Street’s top regulator faced questions on Thursday about its defenses against cyber criminals after admitting hackers breached its electronic database of corporate announcements and may have used it for insider trading. The incursion at the…

Leaking Cloud Databases and Servers Expose Over 1 Billion Records

By CloudBuzz | September 21, 2017

Servers Expose Over 1 Billion Records As The Wall Street Journal recently pointed out, some clients of cloud service providers such as Amazon and Microsoft are accidentally leaving their cloud databases exposed due to misconfigurations of their services. Coupled with recent headline-making…

Thales Joins the Microsoft Enterprise Cloud Alliance

By CloudBuzz | September 21, 2017

SAN JOSE, Calif., Sept. 21, 2017 /PRNewswire/ — Thales, a leader in critical information systems, cybersecurity and data security, is now a member of the Microsoft Enterprise Cloud Alliance (ECA). Designed to foster innovation and promote awareness of partner solutions, the ECA membership…

Addressing the UK NCSC’s Cloud Security Principles

By CloudBuzz | September 20, 2017

As your organization adopts more cloud services, it’s essential to get a clear picture of how sensitive data will be protected. Many authorities, from government regulators, to industry standards bodies and consortia, have provided guidance on how to evaluate cloud…