Security
 | 4 min read

People, Process and Technology in Cloud Security

By  Sai Honig,
 15 September 2016

blog-post-pic-1.jpg

Using the cloud to transform technology is fairly easy. Transforming people and process is not so straightforward. Sai Honig, Senior Security Consultant at Aura InfoSec has her say.

There has been much written about the transformation occurring through the use of cloud technology. Words such as “revolutionary”, “game-changing” and “democratisation of technology” have all been used.

 

We live in a time when creation and access to data drives our commerce. However, negative elements of our society are willing to steal data in order to profit from the work of others. Losing control of data can lead to identity theft, privacy and reputation loss, regulatory restrictions and fines.


Many large and small companies have taken advantage of moving to cloud technologies. A common misconception is that in doing so they eliminate all user responsibility and provide complete security. Often we hear “that’s in the cloud” as if to mean that users’ worries are at an end.

But are they?

People, Process, Technology – these three terms should be inextricably linked when considering significant transformations. But often they are not. Using the cloud to transform technology is fairly easy. Transforming people and process is not so straightforward.

People – We are creatures of habit and simplicity. For example, when we access sites or networks (almost anything online), we prefer to have simple access that does not change. This is why many of us use the same password for several locations. Also, many of us do not change our passwords every 90 days as suggested. That would require us to change a multitude of passwords and many of them require complexity and length.

 

A simple solution may be the use of “password keepers”. There are a number of them available. But even having a tool available does not mean it will be used. We need to practice using those tools. With practice, our habits can create greater security.

 

Awareness of potential risks also needs to be instilled in our daily activities. How many of us can recognise a fake or “phishing” email? (See poster from Security Central) Even if you recognise it as a phishing email, do you know what to do? As much as we can save money with changes to technology, further savings can be realised through basic education. Importantly, these savings can be realised without having to implement emergency processes and forgo normal business operations.

 

Process – Location and maintenance of systems may be located in a cloud infrastructure. This does not mean your own processes are eliminated. They may need to be adjusted. For example, the cloud infrastructure may have a maintenance or downtime schedule. Your operations may need to be adjusted for this schedule. Also, changes to cloud infrastructure may affect your operations. This could require additional testing on your part.

 

You may be creating content at your location and may have backup offsite. Your backup will need to be refreshed periodically to maintain the latest version. A weekly or daily backup may not be sufficient. Also, it is a good idea to test your backups periodically to ensure you do have a working copy.

 

Something else to think about is the location of your content. Cloud infrastructure may not be located in your country. They may not even be in your geographic region. This may mean there are additional jurisdictional requirements that have to be considered. Consider this if your content contains intellectual property, personally identifiable data or health information.

 

In conclusion, cloud technologies can and do make non-core operations faster and easier. However it is not enough to simply put operations into a cloud infrastructure and walk away. Additional review of both internal and external operations may be required.

 

Such considerations are noted in chapter 20 of Cloud Security Ecosystem and I encourage all business people to ensure they not only take the time to read this, but also assess whether or not they are taking a security conscious approach to the use of cloud technology.