Having both cloud and on-premise systems is not the same as hybrid cloud. Rather, it is the integration of physical servers, private cloud and public cloud into a seamless management structure. As such, it is important to turn a critical eye to the areas where businesses may run into trouble when considering how to secure this way of working.
The first of the three pillars to a secure hybrid cloud environment is that of risk assessment and management. All too often, an organisations’ journey to the cloud veers off course as they have not thoroughly evaluated the impact of moving a particular asset to the cloud. What’s called for is an in-depth risk assessment – which should, ideally, include the following steps:
– A definition of the risks that apply to various asset(s), based on their business criticality
− An assessment of the current status of each risk before it’s moved to the cloud
− An assessment of the risk profile of each asset, assuming it has been moved to the cloud
Interestingly, and counter to popular stereotypes, such assessments often reveal that a move to the cloud actually won’t open the business up to security vulnerabilities in the ways originally assumed. Success lies in gathering sound data and then managing your risks proactively. It’s also important to bear in mind that a hybrid environment can also include scenarios in which private clouds and applications ‘burst’ out to a public cloud provider for additional capacity as required. This is something organisations may not have considered, but it represents a key benefit of the technology available to them.
The importance of clear and transparent communication on the part of cloud providers regarding the security embedded in their offerings cannot be overstated. For some businesses, the cloud presents something of a leap of faith, involving relinquishing a degree of control. Providers would do well to share as much information as possible with prospects about their environment, offerings, controls and configurations in order to build a foundation of trust and allay any concerns early on in the sales cycle. Providers need to demonstrate that they’re aware of the various risks and costs associated with implementing a cloud strategy and put forward suggestions on how to mitigate them, based on their experiences with other clients.
Another effective way to gain and retain customer trust is to formalise the handover process. Once policies and procedures are set up, schedule regular meetings, reviews and audits, and thoroughly assess any areas of poor performance or concern. Providers should also be upfront about any security incidents that have occurred, and willing and able to explain how these were attended to.
Cloud providers need to understand that simply listing compliance certifications isn’t sufficient. In line with the mantra of transparency explored in the previous point, providers should take a proactive stance to sharing their security implementations and controls. While adherence to standards and regulations should be a minimum baseline for the consideration of any provider, alone it’s not enough to engender buyer confidence. Organisations should look for providers that don’t only provide proof of their certification, but can also explain how they achieve and maintain their compliance levels, what problems they’ve encountered in this area and how these have been overcome.
The move to the cloud isn’t an ‘all or nothing’ affair and it certainly doesn’t happen overnight. However, to maximise on the benefits of doing so will ultimately come down to sound risk management, transparency and a sharp awareness of compliance.