21 cloud security pros share their recommendations for organizations looking to move to a cloud-based security platform.
21 Security Pros Reveal the Top 3 Considerations When Moving to a Cloud-Based Security Platform
More companies are moving to cloud-based security platforms than ever before. There are many considerations that should be weighed by companies considering making the move to ensure that the cloud security provider of their choice meets their organization's security needs and can support the required security posture. Companies need to think about questions such as how a cloud security provider can help them maintain regulatory compliance related to the handling of sensitive data, how breach notifications are issued, who holds responsibility for addressing vulnerabilities and breaches, and much more – and that's not even considering the typical questions such as whether (and how) a technology integrates with the company's existing infrastructure.
To provide some clarity into the most important considerations companies should be weighing when it comes to making the move to a cloud-based security platform, we reached out to a panel of cybersecurity pros and thought leaders and asked them to answer this question:
"What are the top 3 considerations when moving to a cloud-based security platform?"
Meet Our Panel of Security Professionals:
Read on to learn what our experts had to say about the top three considerations companies should weigh when moving to a cloud-based security platform.
Justin Davis is a Certified Information Security Manager through ISACA, and a Technology Sales Leader for Enterprise Business at CenturyLink residing in San Francisco, CA, specializing in data security, MSSP, disaster recovery and business continuity.
"The first thing I encourage businesses looking to implement cloud based anything..."
Especially security, is to be extra mindful of the fundamentals. Whenever any service is outsourced, a business is potentially opening up their environment to attack. Ensuring all compliances are in place relative to the data they will be supporting is a necessary first step, along with fully understanding what steps the cloud solution provider takes to enforce security. Do they complete regular third-party audits?
The next step is to thoroughly understand the Service Level Agreements (SLAs). What is the cloud solution provider prepared to commit to in terms of service delivery, security, and uptime, and what compensation and penalties are they held to in the event of breaching their SLAs? This is essentially the foundation of the relationship between the business and the service provider. Only with strong SLA commitments can a business trust their service provider. Additionally, if the SLAs are lacking in strength, the business may not have effectively shifted an appropriate amount of risk to the service provider, negatively impacting the ROI of the solution.
Which brings us to the third consideration: Understand the ROI for the solution. This starts with knowing the value of the data the solution is protecting, both quantitatively and qualitatively, and calculating an Annual Loss Expectation (ALE) from a security event. If the ALE is less than, or not materially higher, than the annual cost of the solution, there may not be a business case to support implementing the solution.
Seth Steinman is the Marketing Manager at Upserve, a point of sale and management platform for the restaurant industry.
"When moving to a cloud-based security platform, consider the following..."
1. Invest in employee training: Although cloud-based platforms are generally more secure than traditional, on-premise solutions, the biggest organizational risks are still employees. While skimping on training might save some time and money in the short term, if your employees can’t use the system effectively, or don't know the warning signs of an attack, you’ll lose out in the long term.
2. Transfer and update data: It's important that all historical data is moved over to the new system, so that your Marketing, Ops, and Management teams can analyze past data to predict trends and increase future revenue.
3. Adopt orders and workflows (both internally and with partners): It's important to update internal processes to reflect the new system and workflows. But it's even more important that you communicate the changes with your partners. Consider common workflows and talk to your current partners (suppliers, distributors, third-party processors, etc.) – you may be surprised by their insights.
Pathik Jayani is the CEO of Blue Whale Apps, a U.S.-based app development firm with clients ranging from Discovery Channel, NBC Universal, and Jack Nicklaus to new startups.
"Arguably there is more to consider, but these are my top three considerations..."
Performance: Look for the platform that offers an innovative use of latest technologies rather than just using old school techniques. Application performance does not need to suffer while making it more secure. Application performance benchmarking is crucial before and after migration. Do not fall into the trap of "added security comes at the cost of speed."
Expertise and compliance: It's very important that the platform team has expertise in formulating quick responses to new threats. New threats arise frequently, and it is important that the solutions being formulated do not just “cure” the threat but also are in compliance with regulations and best practices. Adopting the platform being supported by the team of experienced experts is a MUST.
Simplicity and scalability: A cloud-based security platform should be able to address any sudden denial of services threats without really requiring any complicated work for many such day-to-day threats. While being simple, if needed, the platform should be open enough to scale to address other aspects of deployed systems and their integrations with third-party services without compromising functionalities.
Michael Avdeev has over 20 years of experience in information and network security in the fortune 500 companies, specializing in data protection, governance, compliance, system engineering and architecture. Prior to joining Digital Guardian, Michael was global solution architect at McAfee advising enterprise customers on data protection challenges and security. Also, Michael has held management roles at various organizations responsible for providing overall strategic security guidance, ensuring adherence to compliance regulations and system architecture.
"The top three considerations when moving to a cloud-based security platform are..."
Moving years of business infrastructure to the cloud not only requires a cultural shift; it also demands a sea of changes: technology and architecture, DevOps, security considerations and new skills for your staff. New architecture and multi-cloud deployments need skilled professionals overseeing the environment to avoid downtime, develop new automation, guard from vulnerabilities, and implementation errors, and most importantly protecting your company’s digital assets.
One of the biggest challenges for organizations when migrating to the cloud is ensuring data not only stays secure but also can be tracked, as it travels throughout the cloud environment and shared externally. Shifting to the cloud changes an organization's attack profile; the surface area increases. By marrying both visibility, to identify sensitive data, and automation, to enforce policies, organizations can better mitigate threats.
You can’t spin an enterprise's hosted ecosystem to a cloud ecosystem overnight. Make sure your company is ready for the cloud before embracing it. If you're a CISO, once you’ve committed, ensure you work with the necessary teams to efficiently migrate technology, identify operational gaps and create solid security foundation with proper processes and people in place. Keep an eye on the rapidly evolving threat landscape and new regulations to learn areas ripe for exploitation and protect most sensitive assets and your customer data.
Brent Stackhouse is the director of security at WP Engine.
"The top three considerations when moving to a cloud-based security platform are..."
1. Be clear on expectations and deliverables. Every vendor's platform or solution looks great – make sure you have clearly defined business objectives, as well as SLAs, metrics, and reporting, before engaging vendors.
2. Be clear on the changing risk equation. Every outsourcing opportunity affects risk – in the security space, even more so. If the probability and impact equation isn't favorable, it isn't the right choice.
3. Be clear on compliance and regulatory effects. Outsourcing security functions can directly and negatively impact your organization's ability to stay compliant.
When in doubt, engage a trusted third-party to help make an informed decision that takes into account the three dimensions noted above. Spending extra dollars to make the right decision, or to avoid the wrong one, will pay significant dividends over the lifecycle of a typical contract.
Greg Miles, Ph.D., CISSP, CISA, CISM is the Program Champion for Cyber Studies University of Advancing Technology.
"First, let us get a good definition of what a cloud security platform is..."
I would define a cloud security platform as the security services offered as part of cloud computing offerings. There are several cloud computing offerings out there that have begun offering security solutions to their cloud computing customers. The top three things I would consider for a cloud security platform are:
1. Comprehensive suite of security tools: A strong combination of security tools is necessary to effectively manage the security for your cloud applications. This includes virus detection and protection, malware detection and protection, integration of not only rule sets but also threat and anomaly detection. The security platform should offer recommended settings but should also be customer configurable so that settings can be based on business needs.
2. Continuously monitor and analyze: The cloud security platform must not only provide active and passive protection, but also must continuously monitor and analyze the cloud environment for potential issues. This includes logging and reporting of concerns identified.
3. Allow customer and third-party testing: Even with the security tools and continuous monitoring, you still need the ability to conduct vulnerability and penetration testing of the environment so to ensure effective security operations. Selecting the right cloud computing environment requires you to consider the entire offering. This includes the offerings provided to improve security. The solutions must meet business needs and be cost effective.
Don Meyer is the Head of Product Marketing, Cloud and Data Center at Check Point. He has more than 17 years of networking and security industry experience. In his current role, he is responsible for Check Point data center and cloud security.
"The top three considerations when moving to a cloud-based security platform are..."
1. Cloud networks/environments are vulnerable to the same threats targeting premises-based networks. Unfortunately, cloud vendors only deliver a portion of the needed security – based on access control lists (ACLs) or port filters – needed to protect cloud-based networks. Cloud service providers refer to this as the shared security responsibility model. In this model, the customer is responsible for securing their cloud environment along with any and all data, assets, workloads, or services they deploy. To be secure in the cloud, you need more robust and comprehensive protections that protect against today's sophisticated and multi-dimensional attacks. Thus, you need a similar arsenal of security technologies that we've been utilizing on our premises-based networks to protect any assets and data placed in the cloud.
2. Cloud networks are agile, automated, dynamic, and elastic – as we are now in the fifth generation (Gen V) of cyber-attacks, your security needs to match! Traditional network security solutions were designed to be static and manually intensive, not optimal in highly dynamic cloud environments. Trying to retrofit legacy security in a cloud environment is a recipe for disaster. In the era of cloud-based networking, security needs to be designed from the ground up to align to the dynamic nature of the cloud; be able to grow and shrink on demand as workload traffic increases or decreases, understand and automatically adjust to changes in the cloud as assets move or go dormant, and be provisioned automatically as new services come on-line. Context about the cloud, assets, applications, users, threats, and more needs to be shared and consumed to effectively bring security into the cloud.
3. Hybrid and multi-cloud are increasingly popular strategies, but this leads to added complexity and a higher likelihood of misconfigurations and policy misalignment along with poor visibility and control. Centralizing security management across all heterogeneous networks and environments alleviates the complexity of managing security, delivers consistency of policy and posture across all locations, and delivers a single point of view for logs, reports and threat visibility. In doing so, this greatly reduces complexity and improves the overall operational efficiency of managing security across increasingly cloud-enabled networks.
Jodie Shaw is the Chief Marketing Officer for The Alternative Board, a global organization that helps forward-thinking business leaders grow their businesses, increase profitability, and improve their lives by leveraging local business owner advisory boards and private coaching.
"The top three considerations when moving to a cloud-based security platform are..."
According to The Alternative Board (TAB)'s September 2017 Small Business Cyber Security Survey, more than half of CEOs report having been victims of cyber attacks, yet less than half have measures in place to protect themselves against them. Cloud-based security platforms are a great place to start with protecting your businesses' sensitive data. A few considerations to consider when choosing a cloud-based security platform include:
1. Cost: The average small business owner reports spending $8,933 per year on cyber security protection. Does the platform you're looking at fall within your budget?
2. Ease of implementation: The number one obstacle in the way of business owners doing more to protect their business from cyber attacks is time (43 percent) over resources (32 percent), expertise (30 percent), and capital (29 percent). Do your homework and find a platform that's easy to set up and get to know. Remember: employees are less reluctant to new technology when you can explain how to use it and why it's so important.
3. Firewall and network protection: The large majority of entrepreneurs (68 percent) agree that firewall and network protection is the most important cyber security investment, over antivirus protection (15 percent) and IT security awareness training (15 percent). Make sure your cloud-based platform covers this critical area of security.
Michael Leonidas is the founder and IT director at NIC. After 20+ years in the field of managed IT services, he has become a Microsoft Certified Systems Engineer, working to design and implement a custom cloud for his company. He enjoys snowboarding, golfing, and traveling to exotic places.
"The top three considerations when moving to a cloud-based security platform are..."
1. Detection technology: The first consideration when moving to a cloud-based security platform is how good the detection technology is. Look for factors such as the ability to detect and defend against zero-day threats and real-time sandboxing. The ability to inspect SSL traffic, performance overhead, compatibility with Windows, Mac, and Linux, and low false positive rates are also important.
2. Ease of management: The ability manage the solution from a single pane of glass is essential. Centralized deployment, policy templates, license management, whitelisting/blacklisting, and alerting capabilities are necessary features. Reporting is extremely important to help stay on top of the solution’s effectiveness, giving opportunities for fine-tuning, and due diligence for management.
3. Service and support: Service and Support are important factors to help keep the solution working well in the long term. Although a good solution will work relatively problem free, issues may arise due to the complexity of securing against modern threats while allowing legitimate applications to function properly. Access to a good support team will help resolve these issues quickly and provide guidance on handling future incidents.
Orion Devries is a researcher at Crozdesk.com, a business software discovery portal. He is involved in various software/SaaS related research projects.
"The top three things to consider when moving to a cloud-based security platform are..."
1. Identify the specific threats to your business and choose a solution accordingly. Your priority could be intrusion protection, mobile device management, or data loss prevention. While some products are specifically designed to prevent cyber attacks or unauthorized access, other focus more on limiting the extent of damage in the event of a security breach.
2. A product that offers endpoint protection. This gives companies more visibility into the security status of all the devices connected to their network. When something goes wrong, the system sends them alerts and notifications, so they can address and resolve the issue quickly.
3. A solution that provides threat intelligence. They are essential for providing insight and actionable intelligence regarding the latest threats seen.
An 8 Step Framework for Secure Cloud Adoption
Rob Jones is an experienced software and web developer with experience working in PHP, CSS, HTML, and in developing websites, apps, and plugins. He regularly deals with challenging security installations and is director of UK SEO digital marketing agency WildShark.
"Cloud security take-up is increasing and is estimated to reach $9 billion by 2019..."
As such, there is an increasing number of companies looking to utilize cloud security, and an increasing number of services offering it. However, not all services are equal, and no matter how effective a cloud security offering is, there are still inherent risks that need to be mitigated.
1. The greatest threat comes from within. Experian research suggests that 60 percent of security incidents were caused by or initiated by employees. This doesn't necessarily mean your staff is stealing data from you, but their actions, or inaction, could be causing major security breaches. The problem is even greater for those with remote workers and those that use their own devices to access sensitive data. This highlights the importance of ensuring that all company stakeholders implement cloud security features. Draw up strict policies and, rather than simply handing them out or emailing them, ensure that every team member is aware of how security impacts their daily work and timetable. This brings us neatly on to the next point:
2. Ensure that you have up-to-date security policies in place. Approximately a quarter of businesses do not have security policies in place, at all, while a lot of businesses that have them do not make them a part of their daily business. If your security policies are 5 years old, they're almost certainly out of date, and they will need updating or completely redoing. There are plenty of useful services online that can help draw up security policies, and you should routinely encourage your employees to become intimate with those policies and follow them to the letter.
3. A problem that has come to the fore in recent years is that of remote accessibility. More employees work from home than ever before, and it has become commonplace for employees to check emails and do work from home in the evenings or out of standard work hours. One of the benefits of cloud-based security is that the management software can be accessed from anywhere and implemented on any machine or device, which now includes IoT devices, that is used by employees. Have your remote workers bring in laptops and other devices, and if your employees use their mobile phones for anything as simple as checking work email, ensure that you implement cloud security features on those devices. Using cloud security is pointless, if only half the devices that are used by your organization benefit from that security.
Darren Guccione is the CEO and co-founder of Keeper Security, Inc. creator of Keeper, the world’s most popular password manager and secure digital vault and KeeperChat, the world’s most secure messaging app for all your devices. Keeper’s products are used by millions of people and thousands of businesses in over 100 countries.
"The three most important considerations when moving to a cloud-based security platform include..."
1. Be cautious with permissions: Not all security features are enabled by default. You need to be sure to switch on basic security settings like encryption and manage access controls. The headlines have recently been teeming with stories of companies leaving large troves of data open to the public because of a basic oversight. For example, last July Dow Jones left more than 2 million customer records out in the open for this reason, and in February, FedEx was embarrassed when 119,000 documents – including scanned passports, driver’s licenses, and other sensitive customer information – were left on an unsecured server
2. Understand regulatory limitations: Depending upon your industry, laws and regulations may limit where you can store data. In some cases, you may be required to keep information off of the cloud entirely. Other rules may prohibit cloud providers for moving data to servers outside of the country. Since many cloud providers have data centers spread across the globe, you want to be sure you have control over where your data is kept, and that you can access it anytime from anywhere. If you’re uncertain about how rules apply to you, consult legal counsel or industry trade associations for advice.
3. Use audit records: This one of the most useful services cloud providers offer, and in most cases there is no charge. Administrators of SaaS services can log on and see all the recent activity on their accounts, including who has been accessing them, for how long, and even what transactions were performed. Many services will also routinely alert you when your account has been accessed from a new device or location. If such services are available, enable them. They’re not only a great intrusion detection tool, but they can provide a valuable audit trail if your services breached.
Dr. Keaveny is the principal consultant/founder of Data Ethics LLC, an information management firm providing professional consulting services in the areas of data governance, analytics, and privacy. Prior to forming Data Ethics, Dr. Keaveny served in the roles of school district administrator, college professor, and teacher of students with special needs.
"Before signing an agreement with a cloud-based provider..."
Make sure to determine the supports that are in place should a breach occur. Questions to ask include:
1. How many third-parties does the provider use to facilitate their service?
Processes and documentation will need to be updated to include procedural safeguards and coordination with the cloud-based solution. Additionally, the level of security provided by the cloud-based provider should be clearly understood. Increased levels of security may need to be added in order to meet privacy and security requirements for the data being stored.
2. How will you be notified if a breach to their systems occurs and will they assist your company in the notification of your clients/customers?
By adding a cloud-based solution to storage of your data also adds an additional dimension of time to factor into the notification requirements that may apply to your data should a breach occur. These timing factors should be incorporated into breach notification procedures and privacy policies.
Tip #2: When switching to the cloud from a locally hosted solution your security risk assessment process needs to be updated. Prior to making the switch, a risk assessment should take place to understand the current state of the integrity of the data that will be migrated. Additionally, research should be done to review how data will be transferred to the cloud environment.
Questions to consider include:
1. Is your data ready for transport?
Reason: The time to conduct a data quality assessment is before migrating data to a cloud-based solution rather than after the fact.
2. Will this transfer be facilitated by the cloud provider?
Reason: It is important to understand the security parameters that are in place for the transfer of data to the cloud provider, especially when considering large data sets.
3.What level of encryption is required if any?
Reason: Best practice would include some level of encryption. This is especially important if data is being migrated to a cloud-based solution and is going to temporarily be located on a queuing server prior to being processed into your cloud-based account.
Mike Baker is Founder and Managing Partner at Mosaic451, a managed cyber security service provider (MSSP) with expertise in building, operating, and defending networks across North America. Baker has decades of security monitoring and operations experience within the US government, utilities and critical infrastructure.
"There is no reason to abandon cloud services to bring everything back in-house because of security concerns..."
Securing “cloud” assets comes down to the same foundational questions that are necessary to secure a “traditional” architecture. Those considerations are:
- What are the critical systems and applications?
- What are the baseline performance metrics associated with these systems?
- How do these systems communicate across an internal network and/or the Internet?
Arguably, the biggest challenge in protecting cloud data is that, unlike data stored on a network, it’s not located in one place. The data could be stored in any number of locations, such as an enterprise cloud storage solution like Amazon Web Services or even a Hadoop database, where the data is further scattered into thousands of fragments.
Regardless of the cloud DLP solution an organization chooses, it’s important for DLP policies to be consistent. The same data policies that apply within the enterprise must be enforced within the cloud. This is especially important for organizations that must comply with HIPAA, PCI DSS, and other industry-specific regulatory requirements; cloud data is treated the same way under the law as data stored on a server.
Cloud applications have ushered in a brave new “borderless” work world that promotes open collaboration and the free flow of information. This has allowed workers to be more productive and, in many cases, has made remote work possible, allowing organizations to tap a larger talent pool. Unfortunately, it has also opened up a whole host of vulnerabilities for hackers to exploit. Organizations that do not know where their data is, how it is being accessed, and who is accessing it also don’t know if the data is being breached by outside hackers or misused by malicious insiders. On-premises DLP alone is no longer sufficient to prevent data breaches and leaks
Daryl Heinz, CEO of DFHeinz, is a big data consultant supporting data security efforts within NASA, Jet.com, and the Chan Zuckerberg Initiative. He is the founder of Data Use Group Talks, or DUGTalks, free workshops open to professionals seeking to use open source tools to build modern, scalable data infrastructure.
"When moving to a cloud-based security platform, the top three considerations include..."
1. Looking into the Apache Software Foundation, which offers free, open source security solutions that have been tested for two decades by world-class industry leaders.
If you're looking to trim millions in licensing and analysis fees from your data budgets long term, it is important to consider the same free, customizable security solutions that Global 50 companies use. These solutions are open source projects that have been developed by some of the most talented data scientists in the world and tested by innovative leaders across the globe for two decades. The ASF Projects are a certain way to ensure that whatever updates the market may make in the next year, your enterprise is prepared to adapt using a security solution that is modern and forever relevant.
2. Evaluating open source security solutions that are both secure and scalable.
The idea that open source security solutions are not secure or scalable helps to perpetuate misinformation in the big data industry and big box security retail sales. Infrastructure that leverages open source tools can be secured by a professional open source security vendor, and security solutions can be automated. Open source solutions are leveraged by Global 50 leaders in the industry, and internal training for in-house security teams is a cost-effective way to ensure you have complete control over a robust security solution that scales as your needs scale.
3. Looking into Apache Metron, which offers a customizable solution for any use case.
Regardless of whether your company is pursuing professional open source security or in-house security management, it's important to recognize that whatever the level of breach, the indication of a suspected breach can be automated and the best practices for security solutions may also be automated. This enables teams to deliver subject-matter expertise for security at scale. Global 50 companies who use Apache Metron trim millions from their budgets each year by educating themselves on the open source products that are often resold by big box retailers looking to capitalize on widespread industry ignorance and its need for on-demand support services.
Rodrigo Montagner is an Italian-Brazilian IT Executive with 20 years of experience managing multiple businesses and IT environments internationally. He is currently CEO and Founder of OM2 Tech Consulting Solutions.
"I would consider among the top three considerations in beforehand of such a move..."
1. The leverage between my current business and the scale of the platforms. If my business is a multi-country, multi-time zone enterprise, more muscular providers have to be on the short list, diminishing latency or geographical issues or problems.
2. Orchestrate the current non-cloud based app solutions in the company along with the new security platform to be in place. It is key to understand, investigate, and deploy add-ons, connectors, and any needed integrator, mainly if the environment is a hybrid one.
3. Check back end and front end integrity. Many companies sometimes take it for granted, but it is key to run a very detailed impact analysis in advance, particularly when in hybrid scenarios (cloud and non-cloud based scenarios). There are a few hundred issues that could be allowed on an environment if the incorrect service gets online without proper testing and without considering the business' needs and specificity.
Sergio Flores is currently leading product development efforts at Smartfrog, a German Berlin-based IoT startup.
"There is no doubt that cloud computing and IoT have entirely revolutionized several industries by..."
Enabling business models that were never thought possible in the past. In fact, ever since it was discovered that processing data from edge devices on the cloud could unlock millions of possibilities in different areas by increasing efficiency, settings like safety and security, monitoring and managing wellness, energy management, and many others have hugely benefited from it. Nevertheless, as the number of cloud-connected edge devices has increased significantly, so have the limitations of cloud computing.
Some of the most important considerations that need to be made before migrating totally into cloud solutions are:
1. Latency and decentralization: Migrating completely into a cloud solution will usually come along with centralizing the computing of all data and requests in the cloud. However, while this can enhance the possibilities of data that can be processed, this might result in long latency and therefore a degraded user experience. Products that strictly require real-time communication (like security sensors) may require a strategy to decentralize the processing of information and do more things directly on the edge.
2. User privacy: Although it has become a general practice in the IoT industry to upload information to the cloud, process it and then fetch it through apps, this should be well thought in those cases where the information used is too sensitive. To give an example, companies that develop wearable health devices might as well be interested in not migrating completely into cloud solutions since that doing most of the data processing directly at the edge device can protect user privacy a lot better than uploading raw data to the cloud.
3. Data volumes: Migrating to a cloud solution might sound attractive at first place, but this needs to be deeply understood in the context of data volume. As an example, it might look attractive to upload security footage directly into the cloud to do face recognition processing on it, but if this footage is of high quality, not only will it occupy a lot of bandwidth just for uploading it, but it will also introduce tremendous latency to the user experience. Companies considering to migrate to a cloud-based platform need to clearly understand the limitations of it and consider all those different factors (like security and scalability) which will determine whether the plan will be successful or not.
Gregory is the VP of Operations at Single Point of Contact. He is an IT Security Specialist with over twenty years of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting, and integrating technology for the enterprise network.
"When moving to a cloud-based security platform, the top three considerations are..."
1. What kind of security does the security vendor employ? Find out what they have as a security policy, what kind of software, hardware, IDS, IPS etc. they use to protect your data. What is their company's security policy, and are they audited or held accountable in any way?
2. Make sure there are ways to protect your data, like two-factor authentication, encryption, and other technology provided that will protect you.
3. Make sure your company is ready to move sensitive data. Have strong passwords, internal security policies, and requirements for companies that will hold your data.
With more than 30 years' experience in computer network support, IT consulting, and running his own business, Chuck Brown knows the key to developing effective business technology solutions. He and his brother, David, operate Infinity, Inc. in Savannah, GA, serving the cyber security, hosted phones, and cloud computing needs of businesses across all industries.
"Apart from scalability and cost (yes, you do get what you pay for - and sometimes you pay for more than you need), the top three considerations are..."
1. They use the shared responsibility model – the vendor is responsible for the security of the cloud infrastructure while you (the client) are responsible for the security of your own data and networks.
2. They are willing to share their knowledge. A good security vendor won't hold everything close to the chest; they will have a desire to educate you so that you're aware of what your role is in security, and the efforts they make will be supported by the things you do locally.
3. They have experience with your industry. Many industries have specific legal and other compliance issues that your security vendor must be aware of to protect you adequately.
Adnan Raja is the Vice President of Marketing for Atlantic.Net, a web hosting solution who offers cloud, HIPAA-compliant, dedicated, and managed hosting.
"When it comes to cloud security, there are several risks to be weary of including..."
Data compliance: If your business handles sensitive data like credit card information or patient health information, there are levels of compliance that must be met. Your cloud provider should be able to tell you which compliance standards they meet.
Cross-cloud policy management: Many professionals in the IT security space are moving toward multi-cloud management platforms designed to lower the burden by creating a centralized network and security policy.
Data leaks: It's very important to have the proper monitoring procedures in place so that you're able to track data store locations and traffic flows, both coming in and going out.
Data encryption: Data should be encrypted, especially when dealing with multiple cloud environments. It should also be protected as it moves between cloud demarcation points, as well as any time data is being processed or manipulated by a cloud application. Doing this will ensure that the data is protected throughout the whole data lifecycle.
Scalability: Make sure that your security tools, procedures, and practices are able to scale for growth. The most important thing to remember is to vet all security tools that are used in the cloud so that you understand how to expand them, while also understanding any challenges that might occur if rapid growth happens.
Jeremy Vance is the US Cloud VP of Technology. Vance has been in the IT industry for 20-plus years in a variety of leadership positions and roles. Having been on both sides as a producer of cloud security services and also as a consumer, he brings a tremendous amount of perspective to organizations looking to improve their security posture.
"The top three considerations when moving to a cloud-based security platform include..."
1. Verifiability: You need to be able to see how it works. It needs to go beyond “just trust me.” A cloud-based security platform needs to have been tested and verified by others, and those results need to be accessible to audit. A lot of proprietary products are open source, which allows the source code to be compiled and checked for security.
2. Modular: Does the platform stay current? Threats evolve hourly and the platform needs to be able to adapt to new threats and methods. If the platform is modular, then single modules can be replaced with updates and make the platform much more flexible.
3. Uniqueness: Does the platform come with unique authentication and authorization as the default? Can those be changed to follow your IT policies and best practices? Many platforms are doing a better job of avoiding the generic default credentials that are the same for everyone.