Cloud security breaches consistently make news headlines. Yet, the stories of these breaches are often framed with vague explanations — a “misconfigured database” or mismanagement by an unnamed “third party.”
The ambiguity that surrounds cloud computing can make securing the enterprise seem daunting. Concerns about security have led some CIOs to limit their organizational use of public cloud services.
However, the challenge exists not in the security of the cloud itself, but in the policies and technologies for security and control of the technology. In nearly all cases, it is the user, not the cloud provider, who fails to manage the controls used to protect an organization’s data.
Exaggerated fears can result in lost opportunity and inappropriate spending
“CIOs need to ensure that their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries,” says Jay Heiser, Vice President Analyst, Gartner. “Exaggerated fears can result in lost opportunity and inappropriate spending.”
CIOs must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?” Use these recommendations for developing a cloud strategy and predictions for the future of cloud security to find the right answers to this question.
Develop an enterprise cloud strategy
First, obtain consensus from the leadership team. All members need to agree that cloud computing has become indispensable and that it should be governed through planning and policy. This is the most significant step to ensure appropriate levels of cloud security.
Organizations that make explicit executive decisions on their cloud strategy are providing far more guidance to the business and IT. Increased guidance allows for:
- Better requirement analysis
- More sophisticated architectural planning
- More flexible risk acceptance processes
The enterprise strategy should outline the organizational expectations for the form, significance and control of public cloud. This gives CIOs a clear mandate to influence the use of public clouds on behalf of business units. The strategy should also include guidance on what data can be placed into which cloud under what circumstances.
Apply risk management practices to support cloud decisions
There is no such thing as perfect security protection. Accepting some risk is necessary for leveraging public cloud services, but ignoring these risks can be dangerous. When formulating a cloud computing strategy, organizations must make calculated decisions about what they will and will not do to mitigate cloud risks based on budget and risk appetite. This should be part of the overall cloud strategy.
A risk treatment model can provide a transparent view into cloud risk levels, helping IT leaders make appropriate decisions around the use of cloud. The risk model for public cloud should be based on five domains:
- Agility: The CSP’s ability to support unanticipated future needs
- Availability: Service disruptions and data loss
- Security: Confidentiality and data control
- Supplier: Changes in cloud provider business model or viability
- Compliance: Regulatory and other legal requirements
Using these domains as a framework, carefully weigh the risks versus the benefits before presenting any cloud decision. This will help CIOs set expectations with the rest of the leadership team around the security of the cloud. Accepting cloud risks is a legitimate business decision, but only if it is done consciously, with explicit acceptance of the responsibility.
Act on cloud predictions
Through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.
Cloud strategies usually lag behind cloud use. This leaves most organizations with a large amount of unsanctioned, and even unrecognized, public cloud use, creating unnecessary risk exposure. CIOs must develop a comprehensive enterprise strategy before cloud is implemented or risk the aftermath of an uncontrolled public cloud.
Through 2024, the majority of enterprises will continue to struggle with appropriately measuring cloud security risks.
Questions around the security of public cloud services are valid, but overestimating cloud risks can result in missed opportunities. Yet, while enterprises tended to overestimate cloud risk in the past, there’s been a recent shift — many organizations are now underestimating cloud risks. This can prove just as detrimental, if not more so, than an overestimation of risk. A well-designed risk management strategy, aligned with the overarching cloud strategy, can help organizations determine where public cloud use makes sense and what actions can be taken to reduce risk exposure.
Through 2025, 99% of cloud security failures will be the customer’s fault.
CIOs can combat this by implementing and enforcing policies on cloud ownership, responsibility and risk acceptance. They should also be sure to follow a life cycle approach to cloud governance and put in place central management and monitoring plans to cover the inherent complexity of multicloud use.
This article has been updated from the original, published on January 23, 2017, to reflect new events, conditions or research.