Do Companies Who Migrate to The Cloud Assume They Can Focus Less on Security?
I was thinking this one over. Do companies, (especially small and mid-size ones still smarting from the great recession,) believe they can lower their guard security-wise if they outsource services and functions to the cloud?
If I am using Google-Docs, Hosted Exchange, or Off-Site Backup services, does this mean I need not worry about parameter defense-in-depth?
Of course any serious security practitioner, and NIST says no!
This is a quote from: NIST Special Publication 800-146
“Subscriber-Side Vulnerabilities. Subscribers should minimize the potential for web browsers or other client devices to be attacked by employing best practices for web browser security and patching, and seek to minimize browser exposure to possibly malicious web sites.”
I wonder though if companies which are still under financial constraints and happy to have been able to operate with one less in-house support person because they went “cloud” are under the illusion they need less as opposed to more security. I can’t tell you how many times I’ve walked into offices big and small, large and satellite, only to find outdated or no security protections in place (, and sometimes the executive staff visiting questionable web-sites to boot!) With real companies being robbed left and right these days over the internet as they lose real dollars, one has to wonder what it will take to make these small businesses which make up the majority of the American economy wake-up, and install that Security device!
Against this back-drop I know of many a company who has bet everything on the cloud without doing their due diligence, or assessments to determine what should be sent to a potential third-party provider and what should not be placed in the cloud. A flexible hybrid approach of on-site, public, private and community cloud strategies makes sense in many cases. Do you really want that file-server off-site in the cloud, and then if you’re a few weeks late in paying lose access to your data. Many applications make great sense to be based in the cloud, put in a Co-located felicity or partnered into a Community-Cloud, but proper upfront assessments and investigation is key to not getting burned as the cloud community is evolving so quickly.
All this comes back to the NIST Special Publication in that the first line of defense begins at the user’s browser with proper security protections installed and end-user training administered.
Some recommendations I always make are:
- Have a filtering security device at the internet gateway entrance boundary. (Scan email, web-streams, blocking peer-to-peer software, etc.)
- Use a combined security software option such as Sophos which combines end-point protection with all the standard malware software protection options. (This should be a different brand then the vendor product used at the gateway.)
- Engage the organizations people in extensive and regular security training.
- Conduct Regular Security Audits
- Have a system setup to capture log-events and analyze them on a regular basis
- Have an established internet use policy that the organizations staff signs-off on
We can all work together to make 2013 a safe-security year by talking up security whenever we have the chance.