Cloud computing.
Cloud computing. (Credit: Maksim Kabakou/Fotolia)

Whether adopting Microsoft Office 365, GoogleApps or specialized payroll and time-clock systems, businesses large and small continue to migrate critical applications and data to the cloud. According to a recent study, 81 percent of businesses plan to shift mission-critical applications to cloud providers. Cloud offerings often are measured by convenience, flexibility, performance and reliability metrics.

However, security—especially in the face of regulatory or compliance obligations—must be a critical concern. According to Tony Scott, U.S. Chief Information Officer, cloud providers can do a much-better job of security than any one company or organization. Security should not be taken for granted, and companies must do their due diligence before moving to the cloud.

Toward that end, following are some less obvious but important considerations related to cloud security, along with some explanation as to why these necessary practices often get overlooked.

1. Take active measures to root out and exterminate “shadow IT” which occurs, for example, when an individual end-user employee implements cloud services without the company’s knowledge or authorization. These implementations usually involve consumer-grade technology and services, as opposed to enterprise grade, centrally-administered offerings. This situation is often a self-inflicted wound.

Competitive employment markets drive technology adoption to increase personal productivity. IT must be sensitive to these needs and expect to see these services in the wild. In these circumstances it is not enough to simply block use—IT must offer alternatives that meet user need while maintaining the business imperatives around privacy, security and compliance.

2) Make sure the cloud provider adheres to security standards that meet the security obligation of the company or entity. For example, entities that hold personally identifiable information (PII) of California residents must now comply with the SANS Institute, Center for Internet Security “Critical Security Controls.” Yet, to date, most cloud providers do not represent or certify compliance with those controls. While certain security standards are equivalent to the CSC, others are not or might not go far enough, especially when limited to the common controls for data centers.

Cloud service providers often approach their customers with a “take it or leave it,” internet-based, click-through subscription agreement, leaving customers feeling they have little leverage to negotiate a better agreement. However, legal standards are evolving, becoming more detailed and hard-lined, forcing providers to accept new standards to accommodate the market.

3) Confirm the cloud provider applies holistic data security practices across the organization. Often, cloud services providers go to great lengths to define the data security for their data centers but omit any mention of the security practices and controls applicable to other aspects of business operations. This is especially critical where the provider also offers professional services along with the infrastructure, software or other cloud services which are the primary focus of implementation.

The natural concern is on the security of the data at rest in the cloud data center. However, most data security incidents are the result of a “daisy chain” attack that starts on a personal device far removed from the data center. Through compromise of credentials, the attack eventually penetrates the data center as a “trusted” user. The affected user may be either employed by the customer or by the cloud service provider, but the provider’s systems must be reliable to alert and prevent such vulnerabilities across the board.

4) Resist the temptation of “fire and forget” with respect to maintaining good cybersecurity policies and practices, as well as ongoing monitoring for threats. Moving from on-premises electronic communications and collaboration software such as email, text, chat, file storage, etc., to cloud-based tools does not relieve IT staff of its obligation to maintain diligent cybersecurity. The idea that the “cloud provider” will take care of security is not enough. Or as the old Russian proverb holds, “Doveryai, no proveryai”—”trust but verify.”

Moreover, IT must take the lead to ensure the user base does not adopt a false sense of security. Social engineering and human failure are the leading causes of cyber incidents, whether the data is in the cloud or behind the corporate firewall.

5) For global operations, give due consideration to data location. While this area of law is unsettled, where the data is stored can have serious consequences that require thoughtful risk analysis. Data location based on server location can impact jurisdiction and possession, custody and control issues in litigation. Location also can trigger unwanted attention from privacy regulators. There are performance compromises to make when data must be regionalized. Further, the operation of the system could give rise to unintended data transfers that also trigger attention from data protection authorities.

6) Purchase the most-appropriate cyber insurance coverage for the enterprise. If cyber coverage was acquired for behind-the-firewall operations, cloud-based operations may not be covered or worse may be excluded. Moreover, when acquiring, expanding or renewing cyber coverage, you will likely find yourself answering new and detailed questionnaires about your cyber hygiene. Your representations there must be consistent with your actual practices.

Companies that overlook these issues needlessly increase risk of compromise and any resulting liability. Further, proliferation of shadow IT to the cloud leads to loss of management or control of company information, carrying its own privacy and security risks. Without appropriate coverage, companies may bear the full financial brunt of an attack, including investigation, defense, indemnity, damages and remediation costs.

Properly vetted, the security benefits of cloud-based systems are unparalleled. Make sure the benefits aren’t packaged with unintended risks or consequences. Whether on premises or in the cloud, those responsible for information services and technology can no longer operate in a vacuum, rolling out new technology without due diligence best performed by an interdisciplinary group, including legal, compliance, audit, information security and IT.

With that, don’t let a quest for perfection delay delivery—users will work around delay or disruption to the detriment of all. Once any valid concerns are met, well-vetted technology solutions can be implemented with confidence that legal, privacy, security and compliance obligations are accounted for and met.

Whether adopting Microsoft Office 365, GoogleApps or specialized payroll and time-clock systems, businesses large and small continue to migrate critical applications and data to the cloud. According to a recent study, 81 percent of businesses plan to shift mission-critical applications to cloud providers. Cloud offerings often are measured by convenience, flexibility, performance and reliability metrics.

However, security—especially in the face of regulatory or compliance obligations—must be a critical concern. According to Tony Scott, U.S. Chief Information Officer, cloud providers can do a much-better job of security than any one company or organization. Security should not be taken for granted, and companies must do their due diligence before moving to the cloud.

Toward that end, following are some less obvious but important considerations related to cloud security, along with some explanation as to why these necessary practices often get overlooked.

1. Take active measures to root out and exterminate “shadow IT” which occurs, for example, when an individual end-user employee implements cloud services without the company’s knowledge or authorization. These implementations usually involve consumer-grade technology and services, as opposed to enterprise grade, centrally-administered offerings. This situation is often a self-inflicted wound.

Competitive employment markets drive technology adoption to increase personal productivity. IT must be sensitive to these needs and expect to see these services in the wild. In these circumstances it is not enough to simply block use—IT must offer alternatives that meet user need while maintaining the business imperatives around privacy, security and compliance.

2) Make sure the cloud provider adheres to security standards that meet the security obligation of the company or entity. For example, entities that hold personally identifiable information (PII) of California residents must now comply with the SANS Institute, Center for Internet Security “Critical Security Controls.” Yet, to date, most cloud providers do not represent or certify compliance with those controls. While certain security standards are equivalent to the CSC, others are not or might not go far enough, especially when limited to the common controls for data centers.

Cloud service providers often approach their customers with a “take it or leave it,” internet-based, click-through subscription agreement, leaving customers feeling they have little leverage to negotiate a better agreement. However, legal standards are evolving, becoming more detailed and hard-lined, forcing providers to accept new standards to accommodate the market.

3) Confirm the cloud provider applies holistic data security practices across the organization. Often, cloud services providers go to great lengths to define the data security for their data centers but omit any mention of the security practices and controls applicable to other aspects of business operations. This is especially critical where the provider also offers professional services along with the infrastructure, software or other cloud services which are the primary focus of implementation.

The natural concern is on the security of the data at rest in the cloud data center. However, most data security incidents are the result of a “daisy chain” attack that starts on a personal device far removed from the data center. Through compromise of credentials, the attack eventually penetrates the data center as a “trusted” user. The affected user may be either employed by the customer or by the cloud service provider, but the provider’s systems must be reliable to alert and prevent such vulnerabilities across the board.

4) Resist the temptation of “fire and forget” with respect to maintaining good cybersecurity policies and practices, as well as ongoing monitoring for threats. Moving from on-premises electronic communications and collaboration software such as email, text, chat, file storage, etc., to cloud-based tools does not relieve IT staff of its obligation to maintain diligent cybersecurity. The idea that the “cloud provider” will take care of security is not enough. Or as the old Russian proverb holds, “Doveryai, no proveryai”—”trust but verify.”

Moreover, IT must take the lead to ensure the user base does not adopt a false sense of security. Social engineering and human failure are the leading causes of cyber incidents, whether the data is in the cloud or behind the corporate firewall.

5) For global operations, give due consideration to data location. While this area of law is unsettled, where the data is stored can have serious consequences that require thoughtful risk analysis. Data location based on server location can impact jurisdiction and possession, custody and control issues in litigation. Location also can trigger unwanted attention from privacy regulators. There are performance compromises to make when data must be regionalized. Further, the operation of the system could give rise to unintended data transfers that also trigger attention from data protection authorities.

6) Purchase the most-appropriate cyber insurance coverage for the enterprise. If cyber coverage was acquired for behind-the-firewall operations, cloud-based operations may not be covered or worse may be excluded. Moreover, when acquiring, expanding or renewing cyber coverage, you will likely find yourself answering new and detailed questionnaires about your cyber hygiene. Your representations there must be consistent with your actual practices.

Companies that overlook these issues needlessly increase risk of compromise and any resulting liability. Further, proliferation of shadow IT to the cloud leads to loss of management or control of company information, carrying its own privacy and security risks. Without appropriate coverage, companies may bear the full financial brunt of an attack, including investigation, defense, indemnity, damages and remediation costs.

Properly vetted, the security benefits of cloud-based systems are unparalleled. Make sure the benefits aren’t packaged with unintended risks or consequences. Whether on premises or in the cloud, those responsible for information services and technology can no longer operate in a vacuum, rolling out new technology without due diligence best performed by an interdisciplinary group, including legal, compliance, audit, information security and IT.

With that, don’t let a quest for perfection delay delivery—users will work around delay or disruption to the detriment of all. Once any valid concerns are met, well-vetted technology solutions can be implemented with confidence that legal, privacy, security and compliance obligations are accounted for and met.