Addressing security concerns in the Cloud
Published Wednesday, September 26, 2018 12:32 PM by Jon Wrennall, Chief Technology Officer, Advanced
It’s no longer a case of why or if, but when, organisations will move to the Cloud. Most now recognise that the Cloud allows them to focus on driving their core business, as well as minimise cost and leverage economies of scale, improve end-user experience, and reduce operational risk.
The journey to the Cloud, however, isn’t a straightforward one, which is why some organisations are yet to use the make the move. In fact, according to our latest Cloud Report, 24% have no experience in the Cloud. Perhaps more interesting is that an overwhelming 88% of respondents said that Cloud providers need to do more to build confidence levels in Cloud adoption.
So what are the main concerns? And how can providers better support organisations?
First, the findings from our report suggest that cyber security and data protection are the two biggest issues that are eroding confidence levels in the Cloud. Half are worried about security and 45% about data protection and the geographical location of data. Almost a third (28%) are put off from using the Cloud because of recent high-profile attacks.
Second, there is a clear job for technology providers to do in reassuring businesses that, if managed properly, the Cloud is secure and helps with compliance.
At Advanced, we are committed to safeguarding personal information and make every effort to reassure our customers that we have secure development practices. We understand that organisations are concerned about cyber security and privacy, which is why we have stringent policies to ensure that their personal information is handled safely and responsibly.
Our software solutions have been designed with security in mind and our UK-based data centres, which provide Cloud hosting services, meet or exceed Tier 3 standards, and are protected in line with industry best practice. Furthermore, our centres have multiple levels of physical security and are manned and monitored 24/7. Our certifications include ISO 27001 accreditation and we also have measures in place to ensure we are compliant with the General Data Protection Regulation.
It’s this level of security and compliance that gives organisations peace of mind that the data they store in the Cloud is safe. At Tier 3 data centres, for example, issues are constantly monitored and security is actively checked for vulnerabilities to help ensure systems remain uncompromised.
However, while it’s important that Cloud providers like Advanced demonstrate that their architecture is secure, it’s critical that organisations understand that responsibility for their data ultimately falls to them. Providers are responsible for the service they provide to their customers but it’s impossible to guarantee 100% protection if that very service is not managed properly.
According to Gartner research VP Craig Lawson,“almost all Cloud security failures have been attributed to customer actions”. Speaking at the Gartner Security and Risk Management Summit in Sydney in August, he also told delegates that as Infrastructure-as-a-Service becomes more popular, the number of data breaches will likely increase – but that most of the breaches will be caused by user created vulnerabilities, rather than faults from Cloud providers.
Implementing a layered approach to cyber security is therefore paramount. This must not only include rigorous IT security controls but end-user awareness and training too. Security should not just be about preventing how people get in, but also about stopping information getting out. After all, nearly 75% of data breaches are a result of actions from an end-user.
Organisations must provide their staff with the right tools and training to be able to identify signs of suspicious activity. A firm’s cyber security measures cannot simply rely on the expertise of a skilled IT team. Knowledge about best practice must be widespread across an organisation – and it must be an ongoing process too. Traditionally, organisations would be required to conduct an annual test for its employees, which could be something as tedious as a 30 minute presentation, in order to become compliant. The session might not even cover why they should be in the room or even care.
Employees are a company's first line of defence yet, while people are quite savvy about how to avoid cyber threats in their private lives, they often leave their companies wide open to attack.
Many employees, for example, use the same password for different work applications, or write them down, making their accounts vulnerable to hacking. Some also work while connected to less secure public Wi-Fi networks and access social media sites on their work PCs. And it’s not uncommon for staff to accidentally leave work laptops on trains, lose memory sticks and mis-mail documents.
So, while Cloud providers need to be more transparent on how they protect customer data in the Cloud, organisations need to take control of their own security and embrace user awareness. They need to create a culture of security which needs to be led at all levels and backed up with robust policies created and maintained in the business to reduce and detect risks early. A good internal culture will also make the management of data easier, will carry on through to all interactions with external relationships and hopefully encourage clients to be more security conscious too.
Essentially, cyber security must be a shared responsibility. There are simple steps that individuals can take to protect both their personal and company data in the Cloud (and beyond) but they need to be engaged if they are to truly take these steps on board. Sounds trivial but comedy is a fantastic way to engage with employees who otherwise might find security classes boring and of little value.
Digital Defense, for example, developed its SecurED training program in collaboration with award-winning Hollywood comedy writers. Ataata, which was recently acquired by Mimecast, takes a similar approach with its genius writing and branding that speaks to ‘real people’. I encourage any organisation to take a look user awareness programmes such as these.
Another fantastic resource is Cyber Security Month, an annual campaign taking place throughout Europe in October. It raises awareness of cyber security threats and provides tools for businesses and individuals to protect themselves online, through education and sharing of good practices.
With incidents around cyber security and compliance hitting the headlines again and again, it’s right for businesses to be concerned. But, with the right Cloud provider and an appetite for good cyber hygiene, cyber security needn’t be seen as a barrier to Cloud adoption.