As the Cloud Grows, So Does the Focus on Its Security
By Thaddeus Swanek
Every day more data, applications, and computing power—almost everything we do digitally—is moving to the Cloud. With so much of our digital life dependent on Cloud computing, its security is no longer a side issue, but a top priority. To delve deeper into this issue, the U.S. Chamber of Commerce’s Cyber, Intelligence, and Supply Chain Security Division hosted a discussion today on Cloud cybersecurity as part of its Now+Next webinar series.
Despite all the hype, Cloud computing is still only getting started and has plenty of room for growth. According to Nataraj Nagaratnam, chief technology officer at IBM Cloud Security, 80% of businesses store data and run applications in-house, usually on corporate servers. Today, just 20% of their data and services are in the Cloud, but Nagaratnam said the transition to the Cloud will continue to gather pace.
“It’s not a question of if, but when. It’s a journey,” Nagaratnam said. “That’s still 80% that’s untapped, either because of complexity in modernizing existing applications or because of security and compliance needs.”
What is the Cloud?
Cloud computing is storing data and running applications remotely through an expert service provider. It’s not mere racks and stacks (just hardware and servers) to store data, it’s also service, customization, and guidance from specialized experts who have the know-how to store, distribute—and protect—data. “Cloud is a technology platform that enables business transformation,” Nagaratnam said. “It enables all these use cases where customers can focus on their business and not worry about managing infrastructure or platform capabilities.” There are cybersecurity plusses and minuses of Cloud computing, but Dan Mellen, global cloud and infrastructure security lead at Accenture Security, says Cloud computing has far more security advantages than disadvantages.
“If you look at the Cloud service providers and the cybersecurity organizations they have, their investment and headcount is generally larger than most Fortune 100 IT companies. It’s a whole new paradigm,” said Mellen. “If done properly, the Cloud has the potential to provide security far beyond what most businesses get today out of their in-house IT infrastructure.”
Cloud Requirements and Regulations
Of course, different data has different needs, regulations, and rules. Data from your bank might have more stringent rules than your log-in credentials for your gaming console. According to Nagaratnam, that’s where expertise plays a key role “There are industry-specific regulations on how you protect data, how you report when a cyber intrusion happens,” Nagaratnam said. “There are stringent requirements and regulations when it comes to healthcare or financial data. We look at this as an opportunity to drive a standards-based approach to achieving continuous security and compliance. That way, it can be operationalized and implemented.”
Prudent, well thought-out legislation could also help define and standardize Cloud cybersecurity, if approached the right way, experts say. Mellen says he sees a need for federal data privacy legislation instead of a “patchwork” of state laws and regulations. “There is a strong need for a national consumer privacy law to enhance trust and help drive innovation,” Mellen said. “I think the Cloud is uniquely positioned to be an enabler for that change.” Along the same lines, Nagaratnam said legislation should drive consistency through a risk-based approach that is both grounded in global standards and industry best practices and flexible to address emerging cybersecurity threats. Partnering with industry is key. In addition, recognizing the benefits of real-time threat monitoring and a having a consistent standard for incident reporting also can help enhance and streamline cloud cybersecurity.
“How can we encourage the culture and technology to get to continuous security and monitoring? So that any day you can say: ‘How does my application look? Is it secure?’ Instead of inspecting every three months,” Nagaratnam said. “The other thing is getting to consistent data breach notifications: ‘If a data breach happens, this is how we report it.’ That sort of standardization and consistency at the federal level, is probably a good idea.” Nagaratnam adds that industry is working with groups like the National Institute of Standards and Technology (NIST) to arrive at transparent Cloud cybersecurity standards everyone could agree on.
“We’re working with them on making the NIST cybersecurity standards more Cloud-ready: How you extend standards from a traditional environment to a Cloud environment,” Nagaratnam said. “The more we standardize in terms of controls, the better we will enable innovation while enhancing security. That’s the balance we need to strike.” Join the conversation on cybersecurity throughout the rest of the month as the U.S. Chamber continues its Now+Next webinar series.