Is the Cloud Actually Secure?

Category

Cybersecurity Fundamentals

Risk Level

Threat Levels-04.png
 

By now you’ve heard of “the cloud” and you know that it helps power your favorite apps.  But should your organization move its information to the cloud? And more importantly, is it secure?

“Should we move to the cloud?”

When thinking about moving your organization’s information, or deploying your applications in the cloud, there are myriad benefits, including availability, cost, and mobility.  However you may be worried about the security of your organization’s information. Some organizations push everything to the cloud because they believe it relieves them of all cybersecurity responsibilities associated with their current on-premise data center or servers. Others are hesitant because the cloud “can’t be secure since it’s located somewhere else.” Luckily, there is a way to assess your cloud provider’s security and how it may work for you.

“Ok, so where do we start?”

The first step is to understand your organization’s information types and their requirements. Some things to consider:

  • What are the requirements for your information’s availability? Do you always need to access the information, or can there be times when it’s unavailable?

  • What compliance requirements do you have to meet? These could include laws like PCI, HIPAA, FISMA, or state privacy requirements like CCPA.

  • Will you be moving all of your information and apps to the cloud, or just some of them? How will your organization’s information be used/ processed once there? Who will have access - clients, customers, employees?

“Got it - but how do we then secure our information?”

Once you’ve identified your organization’s information types and their considerations, you’ll need to understand what your potential cloud provider, or providers, are offering in terms of their “security controls.” Generally, security controls are based on a risk management framework like the NIST Cybersecurity Framework, NIST 800-53, or ISO 27001, and serve as guidance for how to secure an IT system or application.

The goal here is to use this framework as a checklist to delineate responsibilities between you and your cloud provider. Ask your potential cloud provider not only what security controls they are offering, but how they are offering them. Oftentimes, cloud providers will only implement part of a security control’s protections, and your organization will still be responsible for some of the work. For example, your cloud provider can’t know who should have access from your company, so you’ll still be responsible for maintaining that list.

If you were to use the NIST Cybersecurity Framework to evaluate a database being hosted in the cloud, your tracking of the information might look like this for a sample of the security controls:

Security Control ID# Our Organization The Cloud Provider
ID.RA-1:
Asset vulnerabilities are identified and documented
Partial
We will identify vulnerabilities on our database and will document and remediate them.
Partial
The cloud provider will identify vulnerabilities on the infrastructure that hosts our database and will document and remediate them.
PR.AT-1:
All users are informed and trained
Partial
We will train our users to operate and use the database safely and securely.
Partial
The cloud provider will train their users to operate the infrastructure that hosts our database securely and safely.

In doing this exercise, you can also compare multiple cloud providers.  Do they both provide the same level of security control protections, or does one provide only a fraction of the security controls of another?  Generally, cheaper cloud providers charge less for a reason, but this may be ok for your organization’s use case and risk tolerance.  Make sure to use your work from the identification of your organization’s information and its considerations in your decision making process.

“What’s the bottom line?”

If you’ve just scrolled to the bottom here to find out the answer, the short version is the cloud can be secure as long as you can delineate your cloud provider’s responsibilities and your organization’s responsibilities. Without a clear understanding, responsibility for security will slip through the cracks and lead to a potential cybersecurity incident.

Find a trusted partner to help guide you through a risk management framework and security control responsibilities evaluation. Hive Systems is a leader in this area and helps make the overwhelming world of cybersecurity approachable.

 

Follow us - stay ahead.


Read more of the ACT

Previous
Previous

The 1-2 Punch of Ransomware

Next
Next

Go Update Your Microsoft Devices Right Now