Businesses nowadays are in a conundrum. Because of fears of security breaches and concerns about cloud security, enterprises are understandably anxious about providing cloud services to their employees. But, as we all know, employees use these cloud services anyway – most especially software as a service (SaaS) and other cloud-based applications.
News reports and other horror stories that detail security problems when using cloud service providers are enough to scare most organizations. They often do not adopt cloud services that cover the whole enterprise because, for the most part, they do not want to deal with the ambiguity and the risks associated with using these cloud services. And so, these organizations also shy away from instituting a corporate cloud policy.
For business leaders, having no corporate cloud policies in place makes sense. Admittedly, it is very difficult to come up with one because of all the ambiguity associated with cloud services. Up until now, there is still a wide disagreement on what cloud computing really is. Chief Information Officers (CIO) and Chief Information Security Officers (CISO) would define cloud computing as one way of computing, but the rest of the employees would see it as anything accessed over the Internet. And without that clear definition that everyone can agree on, it will be difficult to come up with rules regulating cloud services.
However, there should be a clear policy on the use of cloud services in the office and beyond it. And if you are just starting, it is very easy to get overwhelmed.
So we are here to provide you with a cheat sheet that could help you get started in the right way. To make it easier, you should focus on just three things.
The areas of cloud security that businesses need to focus on
As we have mentioned, nobody agrees with everybody on what constitutes cloud computing. But everybody agrees that businesses need to have a corporate cloud policy. So where should you start?
Multi-tenancy happens when you share resources and space with other customers. Multi-tenant cloud services provide their software or service to a number of different customers so there is usually a small degree of flexibility in terms of services offered.
For instance, if you are using Gmail for work, then you can expect that you are using the same set of features and functionality that other users, regardless of where they work, are using. In this scenario, the data is outside of your organization’s control and this is one facet of security that you should focus on.
William Terdoslavich writes in InformationWeek that more than 80 percent of IT professionals plan to store their data to the cloud and other new technology environment, and out of these, 85 percent said that they were very concerned about cloud security.
But that might not be painting the whole picture. Gartner’s Jay Heiser clarifies that multi-tenancy is not really correlated with security failure. You do not run a higher risk of getting your data stolen just because you share a server with other enterprises. So why the fuss about multi-tenancy and cloud security? It’s because most organizations are afraid to hand over the control of their data to an outside party, and perhaps even changing how they do things. Especially when they go on a public cloud service provider.
A good way to go about this is to use a hybrid, which allows you to keep your most sensitive data on premises while enjoying cheaper additional computer power of a public cloud platform.
Virtualized environments can offer a host of benefits for businesses. You can easily and quickly have another instance of an app running without having to buy a new CPU or memory. But for virtualization to flourish, you would need to use different tools and software to manage your virtual machines. Risk management, patching and update processes are also very different in a cloud environment. And unlike physical machines, virtual machines do not have blinking lights to alert you that something is wrong.
Software as a service (SaaS)
Your employees can be using a wide range of software as a service application to do their jobs. The unofficial estimate is that employees of an average business will use anywhere from 200 to 1,000 SaaS applications. With that many applications being used by your employees, it is somewhat comforting that these apps generally have a good level of security that is continuously improved by the provider.
But more than just how widely it is used, SaaS applications are problematic because it is your employees using them, so they have control over it. Their usage does not really lend much transparency as well. You do not know when they are using these applications, and how they are accessing them. You don’t know what they are doing on these applications, and how much information they are sharing on it.
How to deal with the risks associated with using SaaS applications
You simply cannot put a blanket restriction on the use of software as a service applications. You cannot tell your employees not to get on their phones and use an app that has so far made their jobs a little bit easier. So you would need to divide the different kinds of SaaS applications into three:
- Cloud-based SaaS applications coming from top providers. Around 80 percent of the SaaS apps being used today are cloud-based and offered by around 100 service providers. There is no doubt these applications are generally secure.
- SaaS applications provided by companies that are experimenting with cloud services. There are also SaaS apps that are provided by big brands whose main line of business is a not cloud service. For example, a mortgage calculator provided by a realtor. These apps generally do not have the same level of security as those apps in item 1. And these are the same apps that chief information security officers should be wary of.
- Then you have those applications that are provided by smaller cloud service providers. Like in item 2, you would do well to assume that these apps are not secure. And even if you find that they are, the company providing them might not be financially confident. If they fold up, then there goes your app and all the data you’ve put into it.
If you need to learn more about cloud services and how these can help improve your business, pay us a visit. We can definitely assist you in this department, plus so much more!
Photo courtesy of Perspecsys Photos.