The cloud is a powerful way to boost bandwidth and scalability and to help with security, but it brings significant complexity for both security and compliance. By significant complexity, we mean that it depends on the cloud provider at issue and what the level of security was/is at the enterprise.
A lot also depends on negotiated details, which again is a direct result of the size and clout of the enterprise versus the size and clout of the cloud provider. A Fortune 10 company is far more likely to get their way in cloud negotiations than would an enterprise that is among the smallest in the Fortune 1000. In theory, CISOs always want to enter negotiations with a cloud provider who has less clout than their enterprise.
Today, just about all of the Fortune 1000—along with similarly-sized privately held companies—enjoy hybrid cloud environments today, meaning that they have some of their data in the cloud while keeping the rest on-prem. Although it’s highly likely that the percentage of data that these companies will house in the cloud is likely to go up every year, it’s not likely that many of the F1000 will be going all-cloud anytime soon. That simply makes compliance and security twice as complex as the enterprise’s cloud setup—to the degree that the CISOs even know all details about their cloud platform’s settings and specifications—will be structured very differently than the enterprise’s on-prem operations.
Most of the larger cloud vendors will share with customers the big-picture details about their environment. But when it comes to the daily details about relatively small setting changes, the identities of all third-parties involved, and the salient details about the contracts with those third-parties, most F1000 CISOs know less than they need to and that is what makes compliance/security decisions so challenging.
For example, let’s say that the enterprise has told the cloud vendor about very specific data-sovereignty legal needs, where the enterprise has obligations to store data from Germany, for example, within German borders. The cloud vendor agrees, but what about the cloud vendor’s third-party partners? Does a backup firm necessarily comply? Or a disaster recovery partner? This is why custom contracts that bind the cloud provider to enforce a rule among all partners are so critical. Otherwise, if a breach occurs with one of those partners, your enterprise has to explain why its data was found where it was not permitted. Saying “large cloud provider promised us” may not persuade all regulators.
As for those configuration changes, a settings tweak that seems innocuous to a large cloud operation may be quite important to your enterprise. Transparency is critical. And that is something many cloud providers resist delivering. Given the fact that most of the disclosed cloud breaches have been attributed to configuration errors, it might be a good idea for cloud vendors to share these details with its tenants. Maybe not get permission from those tenants, but at least let them know what is being done so that enterprises have the option of raising security concerns.
There are reasons why enterprises will choose some data to stay on-prem. It might involve homegrown apps, legacy apps, and other coding that was never designed to be hosted externally. Many of these apps have much older code that was written by a team that might not even be with the company anymore. That makes IT and Security hesitant to move it—because they might not have the best team to fix whatever breaks.
Who is focused on what? Many of the top cloud providers have excellent security operations, with lots of resources and almost all of the tools they want. But cloud security employees are focused on delivering the safest environment for the cloud platform itself, along with tenants. The truth, though, is that many of those enterprise tenants’ needs are radically different from each other, so security made for all may be impressively suboptimal for some.
Then there are legal issues, especially when it comes to subpoenas. When some companies or law enforcement entities want to subpoena data from a specific company, their first move is supposed to be to approach the company directly. But when dealing with a company that is expected to be highly resistant, some companies and law enforcement members are opting to instead send the subpoena to the cloud host, hoping that the cloud team will at least share what that company has in the cloud.
Will that cloud team reach back out to the company? Historically, telcos often didn’t, making their own decision about whether they choose to comply. Some cloud companies have set policies that they comply with subpoenas while others are more hesitant. The cloud policies also differ when it comes to informing the tenant or not and if they do notify, how early do they do so? CISOs need to determine all of this in writing before hiring any cloud vendor. Many don’t think to ask.
Encryption. Another area where you definitely want to probe is encryption and especially focus on the cloud vendor’s policies about encryption key protections. What role do they let Cloud Access Security Brokers (CASBs) play? There’s also the security versus functionality argument about encryption. Encryption is essential protection for this data, especially when it’s out of the company’s direct control. But if the attackers—which might include an insider—can access the keys, it’s all over. In short, encryption plus key equals decryption. Hence, you need to know all of the details about every cloud provider’s key plans.
As for functionality, many CISOs have found cloud operations where gateway encryption rendered apps all but unusable because it broke search and sort.
Cloud compliance and security is absolutely do-able, but much of this comes down to what you ask and what answers are offered. No matter the deployment, one place to start improving networking and security posture is by using enterprise-grade DDI services. This helps improve data security and malware resilience, automate several administrative tasks, speed up incident response, and provide detailed visibility on what’s going on in the network, regardless of where data and applications reside. Bit it also simply provides a far more robust environment where appropriate-level defenses are baked in. With today’s tight operating margins, cutting costs is necessary. But this is absolutely not the place to do that.