Migrating from a traditional data centre and embracing popular public cloud platforms such as Amazon Web Services (AWS) or Microsoft Azure is a growing trend for many businesses. In fact, according to Gartner, the worldwide public cloud services market is expected to reach $204 billion in 2016. There is a misconception, however, that making this move translates to a “hands-off” approach with no need to be an active participant in IT management.
This is especially the case when it comes to security and compliance. While public cloud platforms provide protection for computing processes, storage, database operations, networking and physical security of servers, users are expected to fulfill a “shared responsibility” for protecting data. They are obligated to secure a number of important elements including data, platforms, applications, identity and access management, operating systems, networks and firewalls.
It is important to understand that fulfilling compliance requirements such as the Payment Card Industry Data Security Standard (PCI DSS) does not equate to sound security. Instead, a reliable and repeatable security strategy must be in place to serve as the foundation for compliance that can consistently withstand the scrutiny of audits. Fortunately, the cloud offers an ideal forum to manage these processes.
While fulfilling compliance and security in the cloud can potentially be more demanding than one would expect, it can yield significant dividends in terms of flexibility and scalability. Despite this, many industries struggle to address the required technical and cultural shift to secure data and intellectual properly in the cloud. The primary challenge is a lack of resources and in-house expertise to assume this additional oversight.
In some cases, organisational goals for this endeavor are unclear. As a result, unqualified security personnel could be recruited, inappropriate security tools purchased, or the wrong cloud hosting provider selected.
Keys to success
Prioritisation for security and compliance is essential. It is impractical and cost-prohibitive to secure all data. For a successful security strategy, data needs to be classified according to low, medium and high-risk. And this breakdown has to align with organisational objectives.
Due diligence is required to identify security solutions that offer both comprehensive compliance and reliable security tools that match business operations. The ideal scenario is to choose a security expert, partner or service provider that will not only clearly define the lines of responsibility in correlation with compliance standards, but also offer counsel and guidance in terms of data protection.
Setting the course
A detailed “Responsibilities Matrix” that correlates with compliance and security standards is a recommended approach. There should be ongoing dialogue between business leaders and IT teams to ensure that appropriate resources are in place. After alignment is achieved internally, organisations will be better suited to engage security providers that can execute on these goals.
Companies should seek advice that lays out best practices for security and compliance, as well as documentation and data classification reviews, complete with access to expertise that can help identify aspects of a shared security that are most important. These components are fundamentally important to increasing the confidence level of both an organisation and its customers.
Security is absolutely a shared responsibility for using public cloud platforms and it is mistake to shy away from it. But it’s not just about who’s responsibility it is to do what. A knowledgeable security provider should be expected to take a partnership approach to this critical task, communicate clearly, and take overall responsibility for the quality of service that is ultimately delivered.
Without a comprehensive strategy that executes sound shared security in concert with compliance adherence, the true ROI of public cloud platforms cannot be realised.
Ian Taylor is the EMEA service manager for Armor, a cyber security company that keeps sensitive, regulated data safe and compliant in the cloud. He possesses more than 12 years’ experience in the UK payment services sector with a focus on compliance adherence.