Moving your operations to the cloud? Here are some security factors you must consider before doing that

Eight years back, a major streaming service provider moved to the cloud after a series of disastrous crashes with connections. Despite pumping in millions to salvage operations, the service found to their dismay that their improvisations were failing. Finally, the service ended up migrating to the cloud and has since, not looked back. Today it is ratcheting up impressive numbers, and dominating the streaming service industry. This migration has remained, till date, an important case study among some of the most remarkable turnarounds achieved through the cloud. [caption id=“attachment_4093093” align=“alignleft” width=“380”] Cloud Computing. Representational Image[/caption] The narration is clearly in the numbers; as the **cloud** continues to rain benefits, more and more companies join the exodus, preferring low costs and flexibility of accessing reliable IT services. However, discussions in conference rooms that revolve around running applications from the cloud are pretty much the same across organisations. The agenda may compel one to think that the briefs originated from a single presentation template. Some decision makers tend to view the move to the cloud as one that involves trade-offs, with fallible technologies or platforms compromising data privacy. Such fears primarily owe its influence to the tech newsfeed that is increasingly being dominated by security threats rather than innovations. Here is what I prefer to call the top factors that need to be considered to mitigate mounting concerns of security, prior to migration. Multi-tenancy issues Almost paradoxically, the very advantage of sharing of hardware resources sometimes may comprise a potential risk to clients. There is impending risk of potential wipe-out impacting thousands of customers at the same time. Cloud by intrinsic nature may not be able to provide preferential treatment during recovery process. Clients need to receive reassurances that guarantee the safety of information, through destruction of data, on termination of contract. Security audit Clients should plan for security policies to be applied based on their Active Directory or other mechanisms. Clients to check whether their Cloud service providers permit API based **penetration testing** . This is a good way to independently check the security in place. Ideally, a client needs to be allowed the flexibility of checking the client’s storage. APIs and CASB are two good options of bringing the client up to speed on the security of data in the cloud with information on the entities accessing data and the nature of data accessed. Intervention processes and intimation of security incidents While service providers are saddled with the responsibility of dealing with security incidents, it is the client who actually experiences the full brunt of the breach. Clients need to be updated on security situation on a real-time basis. This will help clients to take remedial measures rather than letting it manifest into a debacle of irreparable proportions. The actions of the service provider in managing the breach or incident need to be communicated through specified channels. Seamless transition and interoperability Enterprises are adopting different strategies in their Cloud Transformational journey of which Lift and Shift is a key part. Applications may need remediation and where applicable re-platform option to be considered for compatibility with what the Cloud offers. The new environment should, in other words be interoperable with existing environments, offering seamless transition and convenience across all security features including data at rest encryption, intrusion detection systems, perimeter and internal firewalls, sandboxes, SIEMs, etc. Protection of application Physical and virtual resources have always been protected in traditional environments through user access control and protection. Shifting to the cloud, offers similar controls. The onus, however, lies with the enterprise to determine the level of user access control and protection, according to the specific risks and deployment options present. Multi-layered security including user, application and data level security will result in a better network security. Greater security with the cloud A Gartner study projected that by 2020 cloud infrastructure-as-a-service (IaaS) would be exposed to 60 percent lesser number of security incidents than traditional data centres. The study also reported that 60 percent of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures. This conclusive study indicates the security capabilities of recognised players. The report also sheds light on better security with improved controls. The cloud offers benefits, difficult to expect from traditional data centres. Dispensing with the need for physical maintenance of dedicated data centres to store information; the cloud offers organisations the perfect incentive for limitless growth and scalability at considerably reduced costs. The argument about safety has been turned around on its head, with reports indicating better security in cloud IaaS over traditional data centres. The author is EVP and Head – Infosys Validation Solutions & Cloud, Infrastructure and Security, Infosys