When a company begins to use cloud services, it finds itself facing new challenges to its approach on security. Cloud-based services can affect many different aspects of security, ranging from the security features of new apps in development to the way a company defines the security measures for internal data.
The relative importance of each of these issues varies from company to company, depending on factors such as industry, regulatory environment, and the types of cloud services under consideration. Microsoft’s Enterprise Architects have helped a number of businesses adopt cloud-based services.
This article, based on the observations and experiences of Microsoft Architects, presents ten questions that can help your company identify security issues you may encounter when using cloud services.
1. How thoroughly has your organization defined its general security policy? Do you have platform-agnostic guidelines to apply as new security issues arise?
Without overall guidelines to fall back on, personnel may end up applying security measures ad hoc and interpreting applicable regulations on the fly. Microsoft Architects have worked with companies that operated in this manner—in such companies, the security measures applied to documents may depend more on where the documents are stored than their content.
For example, the protections applied in a web store may differ from those applied in another file share simply because different people were responsible for configuring them. A fractured security picture makes it very difficult for companies to specify which content may be used with cloud services and which content cannot be used with cloud services.
2. How flexible are your security systems? How much work will it take to accommodate the cloud-based service?
This work includes the technical changes needed to ensure that the cloud-based service can interact with your systems in the ways intended (and only those ways), and that the users have appropriate levels of access to the service.
Some companies have legacy technology that makes it difficult to modify security models and processes. For example, Microsoft Architects have worked with manufacturing companies, and have found that their systems tend to change more slowly than in other companies. As a result, these companies seem to accumulate legacy systems that tend to dominate any new technology and standardize approaches to issues such as security.
3. Do the Governance, Risk, and Compliance (GRC) requirements for your organization take cloud-based services into account? If not, do you expect them to change?
When using cloud-based services, some of the biggest challenges that businesses face relate to GRC requirements. Many businesses need to update their audit and compliance testing processes to account for transactions that may cross multiple environments.
Some regulatory agencies have not yet updated their requirements to account for cloud-based services. As a result, the companies they regulate face the choice of waiting to use cloud-services until the regulations are in place, or going ahead in the belief that the benefits outweigh the possible ramifications.
4. Is your IT organization accustomed to assessing value in terms of risks, costs, and benefits?
Microsoft Architects have observed that IT organizations become inflexible and risk averse when they become aware of risks without having a complete understanding of their context. These organizations find it difficult to change how they operate.
5. Are you building apps or APIs for customers or partners that incorporate cloud-based services?
Companies are using new approaches to partition functionality between LOB apps and cloud-based services, and to encrypt data that the cloud-based services process and store.
As customers become more comfortable using cloud-based services, companies that develop software and APIs that have strict security requirements are exploring ways to incorporate cloud-based services in a secure manner. Their customers expect the APIs to be sufficiently granular to meet their needs and able to keep their data secure as it passes through the cloud.
In the past, some businesses expected their customers would question the security of cloud-based apps and APIs. However, this resistance has dropped off over the past year.
6. Will your apps collect consumer information? How will you keep that information secure?
Based on what they have seen, some Microsoft Architects expect the issues of security and privacy to receive increasing legal and political attention as consumers evaluate how companies use the consumer data they collect.
7. Are you considering whether to add cloud capability to legacy applications?
Depending on the architecture of the legacy applications, it may be difficult to adapt them to work with cloud services.
8. Do you use a single identity management system for your company? Can this system (or multiple systems in use) integrate with cloud-based services?
Not all identity management solutions can integrate with cloud-based services, or federate with external identity stores.
9. Does your company organize data logically and classify it according to its security requirements?
If your employees will be using cloud-based services, you need to consider what company information will be involved. What information can pass through the cloud or be stored there? What information must stay on premises? How will you keep cloud-based information synchronized with on-premises information, and how will you protect it all? If you are allowing employees to use their own (unmanaged) devices with the cloud service, can you ensure that only appropriate information ends up on those devices?
Microsoft Architects have worked with many businesses who hadn't given much thought to their information architecture and classification systems before. Faced with unmanaged devices and cloud-bases services, they needed to analyze their content, streamline it, and classify it according to type, impact, and sensitivity. Further, they needed to develop an organizational system to make management tasks more feasible.
10. Are all levels of your business aware of the need to organize and secure data appropriately?
In many businesses, the IT organizations and upper levels of the business are aware of these concerns, but many levels of the business are not. The upper levels now have to work to drive that concern to the rest of their businesses. For example, employees that use web services to store documents at home occasionally use the same web services to store sensitive company documents, without considering deeper security implications.