The recent incident of data theft by an employee at Morgan Stanley has made the issue of data security top-of-mind for many industry professionals. It has particular relevance today, as cloud computing has transformed the world of IT.
Organizations using the cloud have become more agile, and are able to introduce new business models, provide more services and reduce IT costs. Not very long ago, an organization’s physical infrastructure – made up of the servers in its data center – was used to house enterprise data, which made it possible to segregate sensitive data in individual physical servers. Now, with virtualization and the cloud, an organization may have logical control, but its data physically reside in an infrastructure owned and managed by another company. Maintaining control over the data, therefore, is paramount to cloud success.
Data protection is the most important cloud concern today. According to a 2012 study by Computerworld that measured cloud computing trends among technology decision makers, vendor security capabilities are key to establishing strategic value. Organizations expect third-party providers to manage the cloud infrastructure, but they are often hesitant to grant them visibility to such sensitive data. This is because, today, there may be a new type of “insider” who does not work for the organization but has control and visibility into its data. Such issues make organizations very apprehensive about security risks in the cloud, raising concerns about whether they need to implement additional internal controls in the private cloud, as well as whether third-party providers can provide adequate protection in multitenant environments that may also store competitor data.
Virtualized environments and the private cloud involve new challenges in data access and security, thereby creating mixed levels of trust, as well as the potential weakening of separation of duties and data governance. The public cloud compounds these challenges with the ready portability, accessibility and availability of data to anyone connecting with the cloud server. With the hybrid cloud, the challenge is to protect data moving back and forth between the enterprise and a public cloud. Specific security challenges pertain to each of the three cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
The Cloud Security Alliance (CSA) has put together the following list of the nine most prevalent and serious security threats in cloud computing, billing them as the ‘Notorious Nine’:
- Data Breaches
- Data Loss
- Account or Service Traffic Hijacking
- Insecure APIs
- Denial of Service
- Malicious Insiders
- Abuse Of Cloud Services
- Insufficient Due Diligence
- Shared Technology
The cloud is about shared infrastructure, and a misconfigured infrastructure or vulnerable application can lead to compromises beyond their immediate surroundings. For this reason, a defensive strategy is recommended by the CSA in a shared infrastructure, applying heightened defenses to the use of computation, storage, networking, applications and user access, with constant monitoring for destructive moves and behaviors.NRI provides a range of services in the enterprise information security space to help organizations prepare a more impenetrable defense against the ‘Notorious Nine’.