Build a Strategy to Securely Operate in a Cloud-First World

Robert LaMagna-Reiter, Sr. Director - Information Security, First National Technology Solutions Realizing Efficiencies
One of the fastest growing trends in the digital world, cloud computing, is proving to be an efficient and cost-effective tool that companies are using to stay relative and competitive. The cloud is a network of servers that allows businesses to provide services and applications in a fast, available, flexible and scalable manner. Businesses are utilizing cloud-first strategies to avoid having to financially invest in owning and operating the costly hardware, like servers, that are required to offer services to their customers.

Staying Competitive
According to research by Gartner, by 2020 the shift in IT spending from traditional hardware and software to cloud computing will affect more than $1 trillion in IT spending world-wide.

Not embracing the cloud is becoming a competitive disadvantage for companies, regardless of their industry. According to Nomura research, in the next few years organizations plan to have more than 50 percent of their applications based off of the Software as a Service (SaaS) cloud model. SaaS is a web-based software distribution model in which a third-party provider centrally hosts applications and makes them available to customers. Currently, 30 percent of organizations have SaaS-based applications. If a business isn’t already using the cloud as part of its strategy, they are already behind the trend.

Customizing Cloud Technology
There are multiple ways to take advantage of cloud technology and choosing the right one will depend on what issues a business is trying to solve. The deployment model consists of the private, public and hybrid cloud. The public cloud can be an economical option for testing and development, while the private cloud makes it possible for businesses to meet certain security and compliance requirements while leveraging virtualization. The hybrid cloud option can refer to the combination of physical and virtual environments or the combination of private and public cloud options. The service model refers to Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS).

The trick to taking advantage of the benefits cloud integration is maintaining a pre-defined risk posture, which consists of security policies, procedures and controls that a business has to protect it from threats. According to research by Nomura, the top two drivers of company spending are security and cloud computing. Cloud security concerns not only top the list of perceived barriers to cloud adoption, but they are further increasing their importance. General security concerns, legal and regulatory compliance concerns, data loss and leakage risks, integration with existing IT environments and lack of expertise top the list of barriers to cloud adoption.

While security is a main factor in forming a partnership with a cloud provider, businesses should also take the provider’s location, culture, pricing, and other aspects into account

There have been several data breaches and outages in recent years, resulting in class-action lawsuits, million-dollar settlements and millions of dollars in lost revenue. A company can minimize threats and vulnerabilities by strengthening its security controls, anticipating risks and developing solutions. However it is important to put this in context as the number of reported breaches in enterprise environments far exceed the reported exposure to cloud platforms.

It can be safe for a business to trust a third-party to manage their data, if the business does its research before forming a partnership. There is a shared responsibility between a company and a cloud provider to deliver a secure environment and determine who is responsible for security components and risk mitigation. In most cases a company will select a trusted cloud provider to manage the physical components, infrastructure, network and virtualization. In certain areas, businesses can also have their cloud provider control the operating system or application, and depending on the situation, businesses could retain control. Companies ultimately own the data and are responsible for controlling where, how, what and when it is stored or accessed.

Staying Aligned
Information security and risk management teams should always be aligned with the business’ overall objectives and existing security programs. The teams should identify and address any concerns, implement added safeguards and ensure the technical teams that are managing the day-to-day administration understand the company’s policies and procedures. A company’s executive and technology leadership teams should be aware of the company’s exposure, depending on the data residing with the cloud provider. A cloud provider’s information security department will work closely with the business on an ongoing basis to ensure all proposed solutions do not raise the overall risk posture of the organization. Data control and configuration management are some added strategy considerations that can fundamentally differ from internal processes.

While security is a main factor in forming a partnership with a cloud provider, businesses should also take the provider’s location, culture, pricing, customer support, response times and flexibility into account. Implementing a cloud solution, like many IT projects, requires careful planning, thorough testing and a full assessment once complete. A company must be aware of the risks it is willing to take in order to meet its strategic objectives. With the right partner, any enterprise can ensure all existing risk-mitigation techniques are met or exceeded. At the same time, the benefits of operating in a cloud environment can be experienced. There is no one-size-fits-all solution, but with proper due diligence, securely operating in a customized cloud environment is possible.