Published December 11, 2018 • By Karen Walsh

With your organization collecting more data every year, traditional systems and servers no longer provide cost-effective scalability. Most likely, you’re investigating, or already using, a cloud environment for data storage. Thus, to remain secure and compliant, your cybersecurity program needs to address the differences between cloud security versus traditional security.

Cloud Security vs Traditional IT Systems

What does Traditional IT mean?

When you create a typical IT infrastructure, you connect your hardware devices to on-premises servers to store information. As you increase users, you need to incorporate more physical on-site hardware. This hardware, however, can be expensive.

The flipside of the expense coin is that the traditional IT setup provides greater control over your data environment giving you a stronger cybersecurity stance.

What is a cloud services provider?

For a lot of companies, the concept seems abstract. A cloud provider allows you to incorporate the internet as a storage location which enables cost-effective scaling. However, you’re also reliant on the service provider’s security controls.

Moreover, cloud computing comes in three different formats which makes it even more confusing.

Public Cloud

Many people are familiar with public cloud service providers. Google Cloud platform, Amazon Web Services (AWS), and Microsoft Azure all offer Infrastructure-as-as-Service (IaaS) to enable scalability. However, due to the massive amounts of information they store, public cloud environments find themselves targeted by malicious actors. According to the McAffee 2018 report “Navigating a Cloudy Sky: Practical Guidance and the State of Cloud Security,” 25% of companies using public cloud IaaS or Software-as-a-Service (SaaS) have experienced data theft.

Private Cloud

If you’re looking to mitigate the data security issues associated with public clouds, you might think that creating your cloud will allow you more control. Although a private cloud enables you to maintain control over your data centers and cybersecurity compliance concerns, the costs rapidly outpace many company’s financial capabilities. A SearchCIO article notes that between running your data center and hiring the appropriate IT staff, a private cloud can cost $1.5 million.

Hybrid Cloud

A hybrid cloud offers the best opportunity for many organizations seeking to scale. As the name suggests, a hybrid cloud means you’re using both the public cloud as well as an on-premises private cloud. However, since the private cloud typically only stores the most sensitive data, you can keep those costs lower while using a Platform-as-a-Service (PaaS) public cloud provider for other data. For example, you might store all your payment information on your private cloud then leverage your PaaS for software deployments or data that does not incorporate personally identifiable information.

What makes cloud security different?

Cloud environments change the way in which you access and store data. Because the information doesn’t live on your servers, you need to use tools, called application programming interfaces (APIs), that let your devices and servers talk to the cloud servers. Each API acts like a door that connects your systems to others. However, since you don’t control the locks enabling who can go in and out, you also can’t secure it appropriately.

In other words, you’re not just working with your cloud service provider. You’re working with all the applications that connect your software, networks, services, and devices to your cloud.

How to mitigate hybrid cloud security threats

With cloud infrastructures, you need to think more broadly about cybersecurity. While you may control the information shared with your cloud services providers, you don’t always control who accesses it.

Continuously review data stored in the cloud

Although you don’t control everything within your cloud environment, you can maintain review over the information stored there. With data continually being transmitted between your on-premises infrastructure and cloud infrastructure, you may not always know what is stored where. The constant data sharing eases workloads, but it can also lead to outdated information residing in your cloud.

You should regularly review the software and data sharing to your cloud to ensure that only information you want there resides there. If you’ve deployed software from the cloud, make sure that you no longer store outdated versions there. You also need to regularly review your cloud server to make sure no out-of-scope critical or protected data resides there.

Establish a Vendor Management Program

Cloud service providers are vendors. You not only need to trust them, but you need to verify their security controls to protect yourself from data breaches.  You need to establish agreed-upon controls and service level agreements with cloud service providers and any vendors whose APIs you use.

Understand your cloud service provider’s controls

Whether it’s using a public cloud or hybrid cloud, your service provider is going to be storing and transmitting your data. You need to ensure that they incorporate an appropriate level of protection over that data. Unfortunately, even though you’re contracting with the cloud service provider, you own the data risks. You need to understand how your servicer provider encrypts data and controls access and authentication. You also need to know how their incident response plans.

Know your compliance requirements

If you need to be General Data Protection Regulation (GDPR) compliant, you need to make sure your cloud services provider offers local data centers. If you need to report data breaches under a regulatory requirement, you need to make sure that your cloud services provider can keep you informed so that you can stay in compliance.

Continuously monitor threats

In the same way that you monitor your data environment, you need to monitor the continually evolving threats to your cloud infrastructures. The primary concern over engaging a hybrid cloud infrastructure is lack of visibility into who accesses all the points of entry. Unfortunately, while others maintain controls, you’re ultimately responsible for any data breaches arising out of your third-party vendors, including your cloud providers.

How ZenGRC Enables Better Control

You can’t be everywhere at once, but you can maintain documentation of your due diligence. ZenGRC offers a risk, compliance, and governance (GRC) SaaS platform, that streamlines the management of the variety of tasks necessary to mitigating the security threats associated with cloud security.

ZenGRC offers you a “single-source-of-truth” for all your documentation. Additionally, with our workflow tagging and task prioritization functions, you can communicate with internal stakeholders involved in monitoring your cloud security.