rvlsoft - Fotolia
Cloud security processes in many companies are still relatively immature, according to a panel at the Cloudsec 2016 conference in London.
“While most cloud suppliers have built in security, in business processes it is still very much something that is bolted on,” said Trend Micro security research vice-president Rik Ferguson.
“In many organisations, security still needs to be embedded in processes, and by doing so, they will make compliance easier,” he added.
Many organisations also need to understand that security in the cloud is a shared responsibility, said Microsoft national technology officer Michael Wignall.
A lack of understanding about where the responsibilities of the cloud providers begin and end, he added, is one of the biggest risks for companies using cloud services.
“To ensure trust, Microsoft provides evidence in the form of data from security and compliance tests, as well as audits – one of the biggest challenges is that organisations are not geared up to deal with it – and we often have to help customers understand what in means in the context of their business.”
According to Ferguson, many companies still think that by outsourcing things to cloud service providers they can offload accountability, which is not the case.
“Many consumers of cloud services need to understand that they are still part of the process, and that security needs to be part of everything they do,” he said.
Read more about cloud security
- Improved trust and security are critical to encouraging continued adoption of the cloud, an Intel Security report shows
- Cloud Security Alliance’s research team uncovers the “dirty dozen” off-premise threats
- Microsoft embarks on a renewed push to build enterprise trust in its cloud platforms by making it simpler for users to access information on its data privacy and security protocols
- Better security will be the main reason by 2018 why government agencies decide to use the public cloud, Gartner predicts
It is important that cloud consumers understand what level of service they are buying, what the regulatory requirements are, and what evidence they need to meet those requirements, said Wignall.
Barclays group chief security and information security officer Troels Oerting said organisations should ensure the same assurances in the cloud as with other service providers.
“Barclays runs an assurance programme for all suppliers, and testing in the cloud is the biggest problems, but they get used to it,” he added.
Markit global chief information security officer Darren Argyle said organisations should also ensure they have visibility of all instance where cloud services are used by their organisation.
Many IT departments are unaware of all the uses of cloud services, with business units buying in cloud services on an ad-hoc basis, commonly known as shadow IT.
“By aggregating all cloud requirements, organisations are in a better position to negotiate a more cost effective enterprise agreement while getting a better understanding of the risk to manage it as they would any other third-party risk,” said Argyle.