5 Important Considerations for Cloud Security

Research data proves that enterprises are still concerned about security when it comes to Cloud adoption. In fact, along with regulatory compliance, it continues to rank as one of the top apprehensions when migrating to the Cloud. 

There is a common misconception that security and compliance are one and the same thing. While they can be considered together in Cloud adoption strategy, they are actually quite different. Both are risk mitigation approaches but they accomplish different objectives. Security is what we do to protect ourselves. Compliance is what we do to trace back our activities if and when something bad (like a security breach) happens. So, they are complementary but not the same.

I will discuss compliance in a separate article. Today, I want to lay out a simple framework for building a secure environment. This is by no means a comprehensive strategy - but more as a minimum set of considerations for risk mitigation. Every enterprise has their own environments and business drivers that will need unique approach.

Application level security is a must. But the following are some important platform and infrastructure level security initiatives that must be a part of an overall Cloud adoption strategy.

1. Data and Network Encryption
   • The most important item that any enterprise needs to do is to protect their data. If the data is encrypted, much of the risk is mitigated. I separate out data encryption to define "data at rest" and network encryption to define "data in flight". At a minimum, all sensitive data (think PCI, HIPAA, Privacy laws, etc.) should be encrypted. 
2. Access Control
   • Many of the issues and incidents are created due to unauthorized access or hacking of accounts. The most basic protection is offered by a firewall (virtual or physical) that defines the security groups and ACLs (Access Control Lists) for a particular environment.
3. Intrusion Detection and Prevention Systems (IDPS)
   • These are special network appliances to detect and prevent malicious attempts. These perform more sophisticated risk mitigation than firewalls and can be "tuned" over a period of time to work effectively in detecting and preventing malicious activity. These are very important for certain specific industries such as healthcare or finance.
4. Distributed Denial of Service (DDoS) protection
   • DDoS is more a malicious attempt to hinder business than create a data risk. However, the impact can be similar as it can create chaos within the business and disrupt normal business activities. An enterprise's environment becomes more vulnerable to other forms of malicious attacks when they are under a DDoS sttack.
5. Security Training
   • Last but certainly not the least is security training and awareness. It is understood that over 90% of security related incidents are caused by humans - either intentional or non-intentional. Security training and awareness program is a must for any enterprise. Best practice is to impart the training at least once every year.