You have to hand it to the Rolling Stones. They foretold the current debate over…
If someone asked you “how safe is a community,” how would you respond? Would you ask what kind of community they mean, tell them about the community you live in, or just shrug your shoulders and say, “it depends?”
The question “how secure is the cloud?” is every bit as difficult to answer. There are many different types of clouds, with different levels of security. But while you can’t redesign your community to fit your security needs, you can control your cloud. A custom-built managed private cloud can have all the security controls and precautions your organization needs to keep your data safe.
So, how secure is the cloud? As secure as you want it to be.
How Secure is the Cloud You’re in Right Now?
Many people don’t like the idea that their sensitive data is “in the cloud” instead of on site under their watchful eyes. Just as you can keep inventory safer by locking it in your own secure warehouse, it feels like data should be safer in your own data center.
But the truth is, you’re already in the cloud. Customers purchase goods on the Internet, workers login remotely, different offices send data back and forth — and that doesn’t include email, file sharing, and 3rd party apps your workers are already using.
“Moving to the cloud” usually means hosting mission critical apps with a 3rd party vendor offsite. It changes where your data is hosted, but that won’t make it easier for hackers to attack, or create new cloud security risks. In fact, in many cases you’re more secure in the cloud.
How Secure is the Cloud? Safer Than Your Legacy Systems
Most onsite ERP landscapes were designed for a pre-cloud era. Customers couldn’t purchase goods and services online, workers couldn’t access sensitive data from anywhere, and offices couldn’t sync vast amounts of information across countries and continents. These systems depended on setting up a secure perimeter — as long as bad guys couldn’t get access to the system, everything was fine.
Additionally, cybercrime wasn’t the bustling industry it is today. Until a few years ago, exploiting cyber security vulnerabilities required expertise. Nowadays, hackers sell pre-built exploit kits and other crimeware, allowing almost anyone to hijack user accounts, steal login data and potentially compromise your IT security. A vast underground market for leaked data further incentivizes cybercrime, and elite government-backed hackers regularly target (and often breach) the world’s most elite government and corporate organizations.
As a result, older onsite systems tend to lack the controls necessary to keep data safe in the cloud era. They’re often built without modern network security architecture best practices that protect sensitive or mission-critical parts of the network. Many have outdated or non-existent encryption, or lack sophisticated access control to minimize cloud security risks. They may have unpatched and long-neglected applications, just waiting for a cybercriminal to scan the network and find the backdoor.
The situation is especially dire for manufacturing IT security and compliance. Many organizations use old Industrial Control Systems (ICS) which were designed to be totally offline. On multiple occasions, hackers have sabotaged software updates with malware. When the manufacturer downloads the update from the vendor, the third party gains control of their system, letting them issue commands to machinery, sabotaging equipment and even endangering lives.
By contrast, modern enterprise application hosting is designed around modern security needs. From network design and configuration, to encryption, to sophisticated access control, everything is designed to minimize risk and maximize security. For cloud-native ERP, the only limit on security is the vigilance of the team and the processes behind it.
How Secure is the Cloud: Which Cloud?
“The cloud” can refer to a huge range of landscapes — from a wiki that anyone can edit to a purpose-built landscape protected by sophisticated SAP security services and 24-hour incident monitoring and response. Cloud security varies based on how a given cloud is built and run.
Cloud services are commonly divided into Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). This division affects how cloud security is handled. For example, in SaaS, the user is often only responsible for protecting their login. The provider furnishes an app or software suite, and does most of the security heavy lifting.
On the other hand, an IaaS provider just leases out resources in the cloud, making the tenant responsible for implementing and securing their own IT landscape. The IaaS provider is still responsible for building secure infrastructure and running the data center, but the security of the cloud will depend much more on the tenant’s team.
However, the level of service often has a bigger effect on security in cloud computing than the type of service. Commodity cloud vendors tend to offer insufficient visibility and support. In other words, you won’t know where your data is, what cloud security risks your infrastructure is exposed to, and how to mitigate those risks.
Managed enterprise cloud services such as a managed private cloud offer a higher level of visibility, support and security. The service provider works closely with the tenant to build and configure a cloud around their needs. The landscape is hosted in a purpose-built data center, by a professional team that can monitor the IT landscape at every level. How secure is the cloud in an enterprise landscape? Extremely secure — if the provider offers the right combination of services.
Factors That Determine the Security of the Cloud
How Secure is the Cloud From Fraud? Access Control and Security
Access control refers to the security measures that restrict what data or tools users can view, use, or edit. Access control can be very simple or very complicated, depending on the requirements of the landscape. For example, access control for a simple note taking app without sharing functionality would only have to authenticate users with a password or token to provide each user access to their own notes.
In an enterprise landscape, such as an SAP HANA cloud, access control is much more complex. SAP GRC access control restricts user roles to reduce the risk of fraud, incorrect record keeping and other internal security and compliance failures.
For example, it would be unwise to have the same person pay accounts and reconcile accounts, since that user could abuse their power to embezzle money using fake accounts. Similarly, the person who compiles a report shouldn’t have the power to sign off on it.
Process Control: Verifying Internal Data Security in the Cloud
Access control rules may not always be implemented correctly, or there may be ways for bad actors to get around them. Monitoring business processes like procure to pay or order to cash allows organizations to spot suspicious activities that may have slipped past access control. This it’s called process control.
SAP GRC access and process control complement each other. Access controls governs user roles, while process controls monitor the actual user activities. For example, an SAP GRC Access Control program like the ControlPanelGRC Access Control Suite would dictate that one user can’t create and pay an invoice. Meanwhile, SAP GRC process control would watch how invoices are generated and monitored. If the system failed and a user managed to create and pay the same invoice, it would be flagged as a potential violation and investigated.
Access control is always crucial to the security of the cloud. Process control is a supplemental layer that can enhance cloud security and compliance. It’s very useful for mature organizations who want to enhance their cloud compliance programs, as well as organizations which have to spend a lot of time recreating transactions in audits.
Hardening and Penetration Testing Fortify the Security of the Cloud
Locking a door in an office will probably stop unauthorized workers from snooping around in the room. A determined thief, however, may steal the key, pick the lock or break in. Similarly, although access control can stop opportunistic fraud and reduce internal security risks, it won’t stop a determined cybercriminal from breaking into a secure cloud.
Hardening and penetration testing are techniques organizations use to make cloud security less vulnerable to outside hackers. Hardening means reducing a network’s attack surface — the number of possible routes a hacker could attack to gain entrance. Security staff remove or disable unneeded functions, applications, and other features that could be exploited.
Hardening reduces the amount of terrain your cyber security services team has to monitor and defend. Even more importantly, it tends to shut down the most vulnerable parts of the system — the parts everyone has forgotten about. A company could have an old, unused application running in the background, which no one has bothered to patch, or even a default login from an earlier version of the ERP landscape. Hardening catches and remove these vulnerabilities before hackers can find and exploit them.
Penetration testing is a complementary method of strengthening security. Rather than accepting that the IT landscape works as designed, the security team attempts to find gaps in cloud security and hack in. The friendly “white-hat hacker” then uses their findings to strengthen security and remediate risks.
Regular penetration testing is required for cloud compliance. For example, PCI DSS requires testing once every six months. It’s also important to test after a major system change, which could unleash new vulnerabilities.
Countering Cloud Security Threats with Incident Detection and Response
How secure is the cloud with no one watching for hackers? About as secure as a fortress with no one guarding it. No matter how strong your defenses, a hacker can find a way in. Unfortunately, this is where most organizations fail. The average hacker spends 205 days inside a system before they’re detected — plenty of time to map the IT landscape, gain more control, and steal vast amounts of data.
The problem isn’t negligence or lack of priorities — it’s simple economics. Cloud security threats can strike at any time, which means you need around the clock security and compliance monitoring throughout your network. As soon as your detection team sees evidence of a hacker probing your network for vulnerabilities or unusual network traffic that could indicate a breach underway, an incident response team needs to be able to step in and neutralize the threat.
However, hacks are rare. If you handle cloud security threat monitoring internally, you’ll be paying a lot of money to have highly-qualified security experts sit there around the clock and wait for something bad to happen. For all but the largest companies, this is economically untenable. So naturally, most companies treat data security in cloud computing as a 9-to-5 job (or even a side job for their admins) and hope for the best.
Although your onsite IT team may never be able to provide adequate cyber security services, a managed services provider can. Symmetry provides a comprehensive suite of cloud security and compliance services. We can monitor your system for both internal and external threats around the clock, providing a much higher level of cloud data security at a much lower cost than your onsite team can.
Company Culture and the Security of the Cloud
Your workers can either be a threat or an asset to security in the cloud. Poorly trained, negligent or malicious insiders increase the risks of common cyber security vulnerabilities, making it easier for the bad guys to get inside. From entry level staff to the CEO, it’s crucial that everyone see cloud security as their responsibility, and do their part to keep your IT landscape safe.
This can be quite a challenge for organizations handling cloud security in-house. Executives often lack an adequate understanding of cloud security threats, and may have trouble taking a critical look at the security practices of their workers — or their own security practices. They may not understand just how much the culture needs to change to keep the IT landscape safe.
A managed services partner can bring a more objective outsider perspective to your organization, addressing flaws in your security culture far more effectively. Symmetry takes you through the entire cloud security and compliance process, auditing your internal defenses, creating a program tailored to your needs, and training workers at every level how to minimize risks without harming productivity.
How Secure is the Cloud? Secure Enough to Sleep Easy!
Your data is your most important asset. It determines your profits, your customer relationships, your future success and the very identity of your business. Symmetry provides cutting edge controls backed up by consultants with decades of experience, to ensure your data stays safe.
Learn about our cutting edge managed security and compliance program, Security Complete PlusGRC.