While organizations continue to move more mission critical applications and workloads to the cloud, security remains a top concern for IT, cybersecurity, and business decision-makers.
According to the 2019 Cloud Security Report, 93% of cybersecurity professionals are either extremely or moderately concerned about cloud security. Nearly 30% said they experienced a public cloud-related incident in the last 12 months. Top security issues are data loss, data privacy, compliance, accidental exposure of credentials, and data sovereignty.
The level of concern about cloud security is not surprising. With more applications and data moving to the cloud, the impact of a security breach can be devastating. The average cost of a data breach is now $3.92 million, per the 2019 Cost of a Data Breach Report by the Ponemon Institute.
The good news, however, is there are ways to mitigate the impact of a breach, either pre-emptively or after a breach occurs. Foremost among these, according to Ponemon, is “extensive use of encryption.” Other key mitigating factors include data loss prevention, threat intelligence sharing, and business continuity management.
As an IT decision-maker, what can you do to mitigate both the risk and the concern about a cloud security breach?
First, you have to recognize and acknowledge that any time you are using public cloud, you are using a shared responsibility model—this means that you are responsible for security to and from the cloud and the cloud provider is responsible for security within its cloud infrastructure.
Second, you should choose a cloud provider that offers the highest levels of protection and expertise—particularly in areas that have a significant effect in reducing risk, such as encryption, access control, monitoring and visibility, along with data sovereignty and other compliance requirements.
Third, you should use a public cloud platform that is tightly integrated with your on-premises virtualized environment, specifically VMware. With tight integration, you can run VMware workloads in the cloud with a high uptime availability at the virtual machine (VM) level while leveraging innovations such as stretched clusters to reduce risk and improve availability of mission critical applications.
Five important security factors
With those three considerations in mind, here are five additional important security factors to consider in choosing a public cloud provider:
- Encryption: As noted, encryption is the number one factor in preventing and mitigating the impact of a breach. Ask if your public cloud vendor offers a FIPS 140-2 Level certified Hardware Security Model. This is important because Level 4 certification provides industry-leading protection against tampering. Additionally, you can access functionality so that no one—including cloud administrators—has access to encryption keys at any point.
- Role-based access control: With role-based access control, you can decrease the risk of breaches and data leakage by reducing and managing access to sensitive information. You can guarantee that only authorized users are given access to what they need to do their jobs. You also enhance compliance by more effectively managing how data is accessed and used.
- Data sovereignty: As described by TechTarget, “Verifying that data exists only at allowed locations can be difficult. It requires the cloud customer to trust that their cloud provider is completely honest and open about where their servers are hosted and adhere strictly to several level agreements (SLAs).” Make sure your cloud provider has data centers all around the globe and can comply with data sovereignty regulations by geo-fencing workloads running on trusted servers.
- Compliance: Data sovereignty and compliance go hand-in-hand, particularly as more and more enterprises are conducting business globally and local governments and agencies have strict compliance requirements for doing business, such as General Data Protection Regulation (GDPR) in the European Union. In public cloud, you want to be able to enforce compliance requirements with continuous monitoring and alerting against policy-based templates for audit readiness.
- Business continuity: Backup and disaster recovery are vital use cases when it comes to public cloud, but you must also make sure that your provider supports high availability capabilities to ensure the integrity of backup and DR sites when recovering from cyberattacks. Make sure to ask your cloud provider about recovery time objectives and recovery point objectives, as well as capabilities such as stretched vSAN clusters for your VMware solutions in hybrid and public cloud.
Mitigate risk by choosing the right public cloud provider
Perhaps it is inevitable that business and IT leaders will have concerns about cloud security. The idea of trusting your mission critical data and applications to another company can be somewhat daunting.
Today’s reality, however, is that you can mitigate risk—and concern—by choosing a public cloud provider that is focused on security leadership and trust, offering enterprise grade protections in key areas such as encryption, control, compliance, data sovereignty, and business continuity.
Learn more about IBM’s security leadership and how to most securely migrate your mission critical VMware workloads to IBM Cloud.