Keep enterprise data secure in the public cloud environment

Considering the maturity of IT outsourcing services, enterprises will naturally choose public cloud computing services in order to achieve greater cost savings and resource utilization. That is not the case. The security questioning of public cloud services is the main reason why enterprises dare not adopt public cloud service. For most businesses, the risk of data security makes them very fearful.

This article will outline why companies should adopt public cloud services for better benefits, what are the key security issues and challenges facing public cloud services, and what to do in the overall security assessment framework to address the security challenges facing public cloud services.

First, there is no conclusive data to support the view that "public cloud services are weaker than the security mechanisms in the enterprise's internal data centers". In fact, cyber attacks and data-loss cases for big companies such as Google, Sony & RSA have shown that tighter corporate internal security mechanisms can also be breached or bypassed by tricky social traps. Especially since the ancient times, a weak link in the mechanism of information security prevention has not been repaired, that is, "Human Factors".

Although these vulnerabilities do not directly relate to the public cloud, most companies tend to place important data such as intellectual property in their own custody. So can the public cloud properly preserve the intellectual property of the enterprise? Given the scalability, flexibility, and on-demand performance of the public cloud, the answer is yes.

Federal agencies, such as the United States, Singapore and many government agencies in Asia and Europe, are early adopters of public cloud services, and they have also facilitated the rapid maturation of cloud security services by public cloud service providers. In many instances and specific security types, such as malware, viruses, and the protection of distributed denial of service attacks, public cloud security technologies have proven to be more effective at protecting data than within an enterprise's security defenses. Sony's defense against Loic DDoS attacks is a good example.

In short, end users ' never-ending demand for Internet services has begun to extend public cloud services to media entertainment, such as music, movies, social media and E-commerce.

Companies do not have time to continue watching. If the public cloud services that have been successfully adopted by many enterprises are not adopted, the risk of a decline in corporate competitiveness may be more severe. If the firm still needs more convincing evidence, ask Oracle's Larry Ellison, who used words like "meaningless", "crazy" and "idiotic" to describe cloud computing, and now decides to join the cloud. Is this evidence convincing?

However, not all types of enterprise data or services are suitable to be managed in a public cloud environment, but from a general risk assessment framework, the data security risks of a public cloud can be controlled in a way that can be accepted by most businesses.

Know your Cloud solution risk

Each enterprise's characteristic is different, its security risk is also according to the Enterprise's industry and the operating environment. and the risk factors of the enterprise must be recorded and under management. Public cloud services also have their own unique security risks, which are different from traditional IT outsourcing, but are naturally linked to the technologies used by the public cloud. The following is a list of the risks of public cloud computing and the preparations that enterprises should make.

Key security Risks/issues related to public cloud computing include the following:

· Do not understand the cloud services used-because the low cost threshold of public cloud services, leading business leaders to think that the public cloud services than the enterprise IT department more cost-effective, so the enterprise to provide customers with new products and services through the public cloud services. The procurement of IT services must be under strict control to avoid the loss of enterprise data through the uncontrolled public cloud service channel.

· Information Security Management – the most basic security requirement in the data lifecycle is the confidentiality, integrity, and availability of the data. Specifically, the entire process of creating, storing, processing, and using, sharing, archiving, and ultimately destroying data needs to be secured. When enterprises cannot directly control the data directly through the service provider's equipment, they will face the security challenge. Therefore, it is important to select a public cloud service with data encryption, encryption key management, and high-availability scenarios.

· Know where the data is-throughout the lifecycle of the data, the enterprise must obtain the exact assurance from the cloud service provider to ensure that the enterprise's data is kept within the specified geographic range. This can be regulated and agreed upon through contracts, service level agreements and corresponding procedural laws and regulations.

· Electronic evidence – The use of public cloud services means that enterprises must share the same hardware devices, such as hard disks, with other enterprises. This means that there is a certain risk of data leakage. Because once an enterprise is investigated for legal issues, the Government and the legal institutions can extract and analyze the data stored on the hard disk according to the laws (such as the American Patriot Act) and do not need to be approved by the data master. Some sensitive information about the enterprise, such as personal identity information, should not be stored in the public cloud service environment to avoid this kind of situation.

· Vendor bindings – Sometimes it is harder to migrate from one cloud service provider to another than to use cloud services for the first time. Many cloud service providers are in the interest of taking advantage of the tendency to discourage users from abandoning their services and switching to others.

There is much discussion on the risks and challenges of choosing a public cloud service, and readers can use Cloud security Alliance (CSA), European receptacle and information security Agency ( ENISA), national Cato of Standards and Marvell (NIST) and other site references. It is believed that it can help many enterprises to understand the risk problem of cloud computing.

After anticipating the above risks, the enterprise can develop a risk assessment framework for evaluating the public cloud service providers and selecting suppliers that are suitable for the enterprise itself.

Data security recommendations when using public cloud computer Services

In order to minimize security risks when using public cloud services, organizations can do the following:

Establish a deployment worksheet for a cloud service project that includes:

· Decision making process using cloud services

· Business and cost considerations related to cloud services

· Identify reliable data storage scopes and understand end-to-end business processes through data flow charts and process flow tables.

· Understanding the use of cloud services – your service sourcing team and architects must have sufficient cloud service knowledge and skills to select cloud services and provide support.

· A cloud service registrar that records the consumption status of an enterprise using a public cloud service.

Establish or purchase a risk assessment framework for cloud computing. This framework should include:

· Defining information security policies when cloud services are used

· Classify enterprise data to determine which data is suitable for storage in the cloud computing environment and which data can be exposed to greater risk.

· Assess the impact on business operations once data has been compromised by confidentiality, integrity, and availability.

· Archive public cloud services security risk content

· List the control scenarios that reduce the security risks of cloud services (you can use risk-scenario approaches to develop detailed coping strategies for each potential risk)

· Upgrade information security contracts to address the security and operational issues associated with cloud services. The service level agreement does not meet the standard of compensation, information system audit and investigation of the power of evidence must be written in the contract with the cloud service provider.

· Conduct penetration testing of cloud services products, review the security control capabilities of cloud service providers, and select the cloud service provider that best meets the security needs of the enterprise. Consider using SAS type II reports or similar is audit reports to review the security control capabilities of service providers.

Setting up a public cloud service exit strategy

The enterprise must establish a cloud service exit strategy so that when the enterprise must migrate all data and applications back to the enterprise or change the cloud service provider, it will avoid being bound by the cloud services provider and unable to exit.

Summary

In a public cloud environment, data security is a responsibility that needs to be shared by cloud service providers and data owners. But at the same time data owners must be solely responsible for data privacy and protection. If their privacy protections for data do not meet regulatory requirements, they could incur hefty fines. As a result, many enterprises have invested in advanced information security risk management and control tools. These tools can balance the security risks based on the cloud architecture and help enterprises achieve maximum ROI. As a result, it is more common in the case of a public cloud service to identify and understand the security risks of a particular cloud service and to develop the required security controls for such risks, thereby minimizing the risk and not impacting the enterprise's adoption of cloud services.

So companies have plenty of reasons to choose cloud computing services, but at the same time companies have a good reason to defend themselves more closely in order to develop faster and safer in a new technology environment.