Convergence of the Cloud – A Nexus of Forces
The general consensus is that everyone is using the cloud. Because they have to be careful about what they put in the cloud, some companies are using the cloud to a very small extent.
Security professionals still have security concerns about cloud providers and are taking various actions to determine the level of cloud security:
- Perform reviews up front of their cloud providers
- Conduct onsite visits to perform security reviews and evaluate controls
- Use questionnaires to determine security controls, such as that provided by the Cloud Security Alliance
- Rely on supplier security attestations
While some companies have been able to get agreements for pen-tests, there are still a number of cloud vendors who are unwilling to allow such activity because they have multi-tenate environments. It is challenging for such a cloud vendor to allow a pen test because of potentially interrupting the business for someone else.
Budgets and cost savings continue to remain an issue. Oftentimes, the business believes that by moving an application or business function to the cloud will save money. What is often overlooked is the need for additional security controls and the cost of those controls. Security professionals are therefore working to get involved at the front end of the process in order to advise the business as to the security and cost ramifications of their cloud decisions.
Organizations that have the government as a customer are especially challenged when it comes to using the cloud. The need to know what country your data is in is increasingly important. Because various government contracts stipulate that data cannot be located outside of this country, cross-border data flow agreements are becoming a bigger issue. This is especially critical because companies are not just directly doing business with the cloud, they are doing business with people who are in the cloud. Sometimes it’s down three or four levels in a business chain before you get to where you find the cloud in that supply chain. |