In this interview with Dwight Koop, CFO and COO at Cohesive Networks, we ask what’s the big deal with cloud security? Should security doubts put enterprises off moving their businesses to the cloud?
Why, from a security standpoint, are people typically hesitant about moving their operations to the cloud?
Fear, uncertainty and doubt (or FUD). The news can sound pretty scary: 43% of companies worldwide have reported being breached in 2014 (Ponemon Institute report), the Sony hack cost over $100M to correct (Reuters), and systems are vulnerable for an average of 229 days before IT teams detect a data breach (Tripwire).
But, the good news from all this FUD is that there is more attention from the board level down. A 2015 PwC survey reports that 76% of respondents are more concerned about cybersecurity threats this year, up from 59% the year before. Plus, companies are moving to the cloud. 42% of respondents to 451 Research’s Voice of the Enterprise survey rated cloud services as being ‘very important’ to strategic objectives.
When we first started using AWS other public clouds in 2008, we weren’t sure what kind of data and workloads our enterprise customers would migrate to the cloud. Some early industry watchers predicted the entire IT operation would move in one leap, others thought only non-critical, internal operating systems would migrate.
Now as more mission-critical systems and operations move, enterprises must be able to prove that their data is secure. Cloud providers spend far more on security than a small business ever could, so it makes sense to use the cloud rather than trying to build and maintain your own data center.
Why are you passionate about this topic?
My co-founders and I created our first network security product in 2008 because we saw that cloud technologies could help enterprises demand more scalable, secure, on-demand and easily consumed computing capabilities. Our backgrounds in networking, enterprise IT, and global financial services allowed us to watch organizations “grow into cloud” from concept to reality.
Reality has really set in now – with news of expensive and embarrassing hacks happening almost weekly. Since the beginning we’ve advocated for user-controlled security, and now is the time for enterprises to really start listening.
What steps can companies take to mitigate these concerns? / What are your best tips for cloud security?
- Use layers of security. Usually, providers offer firewalls, edge protection, isolation, and hypervisor rules. But, who really owns those security features? Cloud providers. Service providers often write in their SLAs that the ultimate responsibility for security lies with the cloud users. Build your own layer of security on top of all the security features in the cloud. Use things like VPNs, network firewall, data encryption, and cryptographic keys that you alone control.
- Start thinking about risk-based security, not audit compliance. Traditional compliance-based procedures focused on audits, objectives, policies, and transactions. A risk-based approach of cybersecurity focuses on the business and customer, emphasizes risk management over compliance tracking, and incorporates diverse knowledge and experiences. Or, put another way: the Ponemon Institute estimates the actual costs of compliance with regulations such as PCI-DSS, SoX, HIPAA for a mid-size organizations averages $3.5 million while the cost of non-compliance was estimated at $9.4 million (3 times the cost to comply!).
- Get everyone involved. Put that increased board scrutiny to good use and have the entire organization participate in security awareness and prevention. Delegate security assessment tasks across the organization to ease the workload, raise awareness, and help everyone involved shift security thinking toward actionable risk management.
- Learn from others, and use the NIST Framework. After the publicity of big hacks, more regulatory and government agencies and are updating security standards to match modern cybercrime. Some of the best, most comprehensive guides include the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the European Banking Authority (EBA), and the Payment Card Industry (PCI) Data Security Standard 3.0. By using the NIST Framework in particular, IT organizations can do their own cybersecurity “health check” to compare their current security procedures with industry best practices.