Cloud users and partners must be able to prove that data are secure in any environment. To best ensure security in a multi-tenant environment, shift security thinking to prevent vulnerabilities, minimize attack vectors and plan for layers of security with all organisations inside a business.
A 451 Research Voice of the Enterprise survey reports that 42% of respondents rated cloud services as ‘very important’ to strategic objectives. Mission-critical systems and operations are moving to the cloud.
this article was originally posted on Cloud28+ on 7 March 2017
Cloud 28+ users and partners must be able to prove that data are secure in any environment. Cloud providers offer excellent security. compliance and services, so it makes sense to use the cloud rather than trying to build and maintain your own data center.
But what can Cloud 28+ members do to ensure security in a multi-tenant environment? Shift security thinking to prevent vulnerabilities, minimize attack vectors and plan for layers of security with all organisations inside a business.
Use layers of security. Usually, providers offer firewalls, edge protection, isolation, and hypervisor rules. But, who really owns those security features? Cloud providers. Service providers often write in their SLAs that the ultimate responsibility for security lies with the cloud users. Build your own layer of security on top of all the security features in the cloud. Use things like VPNs, network firewall, data encryption, and cryptographic keys that you alone control.
Focus on risk-based security, not audit compliance. Traditional compliance-based procedures focused on audits, objectives, policies, and transactions. A risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences. Or, put another way: the Ponemon Institute estimates the actual costs of compliance with regulations such as PCI-DSS, EU’s DPD, or the US’s HIPAA for a mid-size organizations averages $3.5 million while the cost of non-compliance was estimated at $9.4 million (3 times the cost to comply!).
Get everyone involved. Put that increased board scrutiny to good use and have the entire organization participate in security awareness and prevention. Delegate security assessment tasks across the organization to ease the workload, raise awareness, and help everyone involved shift security thinking toward actionable risk management.
Learn from others, and use the NIST Framework. After the publicity of big hacks, more regulatory and government agencies and are updating security standards to match modern cybercrime. Some of the best, most comprehensive guides include the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the European Banking Authority (EBA), and the Payment Card Industry (PCI) Data Security Standard 3.0. By using the NIST Framework, in particular, IT organizations can do their own cybersecurity “health check” to compare their current security procedures with industry best practices.
Organisation can self-evaluate cybersecurity with participation from all business unit leaders and all of the IT team. By using the regular self-evaluations to check up on the reality of security policies as a business grows.Including IT, HR, sales, and legal teams will round out the cybersecurity self-evaluation process.
Cloud 28+ members should also remember to add encryption and monitoring within networks to strengthen existing security. Make sure to view all security options available in the Cloud 28+ catalogue.
By: Margaret Valtierra