A New Mindset on Cloud Security

The cloud is more secure than many businesses believe, according to respected analysts such as Gartner; with many companies missing out on opportunities because of their security misconceptions.

IT leaders could do with trusting the cloud more, not least because of the speed and agility it brings, but also because of the new security paradigm it embodies – one of pervasive and strong end-to-end security.

The reality is that cloud provider business models are based on delivering trust and security for some of the most demanding customers out there, and they do this daily, at scale and on a global basis. Consequently, their cloud infrastructures have been battle-tested for years now, with security built into every layer – from the data centre up.

Analyst firm Gartner sums it up in its Cloud Security report. “Many businesses are missing out on the opportunity of cloud because of unwarranted, unsubstantiated security fears,” argues Gartner analyst Jay Heiser.

He says established security tools and technologies make many established cloud environments secure – across solutions like infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).

However, cloud brings a significant change to the security model and moves away from building a fortress around the company’s information, and keeping it locked up and hard to access. Instead, cloud computing secures the virtual infrastructure, encrypts the information itself and tightly controls the access users have to cloud resources.

This is mainly because today’s cloud apps require constant and fluid access to fast-moving and varied data, both inside and outside the parameters of the business. As a result, it’s more about securing the information at rest and in transit, as well as the people and systems that access it.

With this model in mind, cloud service providers have worked over the last decade on developing specialised knowledge to achieve end-to-end security. They have improved their technical skills and expertise around things like Cloud Identity & Access Management (IAM), OS image management, secure network connectivity and advanced encryption technologies.

Salesforce Research, which surveyed more than 2,200 global IT leaders and CIOs for its 2016 State of IT Report, discovered that: “Top-performing IT leaders trust cloud services to bolster security while their teams focus on innovating with engaging apps. Seventy-two percent of high performers trust storing core infrastructure data on a public cloud, which is 1.9x more than underperformers.”

In addition, says the report, sixty-eight percent of IT teams report that they will spend more on mobile apps, cloud migration, and cybersecurity/incident response over the next two years.

But it isn’t enough just to leave security to your service provider. For organisations that use cloud services, their CIOs and CISOs also need to have good data governance and policies at the core of their enterprise cloud strategy, and to take advantage of available technologies such as encryption and access controls.

At the end of the day, it’s a partnership between businesses and their cloud service providers, and the security burden shouldn’t be just on one or the other.

This is the view of Salesforce, which has had a multilayered security approach at the heart of its enterprise cloud solutions for many years.

For example, their data centres are accessed by biometric scanning, employ data replication and are tested via regular customer audits. At the network level, secure encrypted connections are used in addition to industry-leading firewall and advanced threat detection technologies, among other things.

Then, for the application itself, a range of extra security services are applied such as Two Factor Authentication, Identity & Single Sign-on, as well as granular controls that let you set permissions, password policies and even field & row level security.

All this functionality is part of the core service but where companies need an extra layer of protection they have the option of deploying Salesforce Shield. This additional set of security services allows organisations to encrypt specific fields, such as customer account information, as well as monitor and set policy for irregular usage patterns across their user base. It also offers a solution for companies that have regulatory requirements to store data for extended periods.

Salesforce senior VP, Jim Rivera, says, “Cloud solutions like Salesforce Shield provide security professionals with tools to better comply with industry regulations and organisational security requirements while giving the business a platform to help them engage with their customers, partners and employees in new ways.”

Salesforce’s approach shows how security can be baked into the architecture itself, at an infrastructure, network and application level, and also strengthened with additional layers as businesses require it.

It goes to show that today’s security technologies are fully capable of securing the cloud: apps, data and users, with cloud-based applications giving enterprises a secure alternative to traditional IT.