With billions of dollars being spent on cloud security -- $2.1 billion, according to a recent report from Gartner (News - Alert)--is it safe to trust the cloud? Yes, but it's important to know the reasons why the cloud makes sense for some of your apps, and not for others, according to panelists on a Case Study U session at ITEXPO East 2014 titled "Locking Down the Enterprise: Keeping Sensitive Data Safe in the Cloud and On-Premises."
The International Speedway Corp. operates a private cloud for most of its key applications, including disaster recovery, said Dawn Montemayor, senior director, information security and compliance, at International Speedway Corp. "But our business units come in all the time and ask for applications like Salesforce for CRM. The challenge in our role as security professionals is making sure that the business recognizes and understand the risks and whether they're willing to take on those risks."
Montemayor said she has a low tolerance for the public cloud, mostly because of that risk factor involved. "I'm of the mind of don't put it into the cloud if you don't have to," she said. "My risk appetite is pretty low. The application has to be something that is the industry standard; Salesforce is an example of an exception. The benefits to the organization outweigh the risk. For things like that, where you cannot dispute the value of what they are offering and there's no regulatory issues, the cloud is a no-brainer."
Daniel Farrell, director of network operations for Awesome Cloud, which delivers white label cloud solutions to partners and cloud resellers, said business can mitigate cloud risks by choosing the right provider. "You have to ask your cloud provider what types of security controls they adhere to," he said.
"It's how they advertise it -- if they are advertising high level of security, security is high on their list. If they are not, it's usually not high on their radar and they expect the customer to take the lead." Montemayor points out Amazon Cloud Services as an example. "Their 100-plus page contract does not strike on a lot of security. They basically make that your responsibility," she said.
The bottom line, like it or not, is that security breaches are going to occur, the panelists agreed. "It's kind of a jungle on the Internet," Farrell said. "It's almost like a prison environment -- you lock it down as much as possible and cover holes where you see them. You try to determine what tools hackers have and then try to take away as many tools as you can."
"It's very organized now--there are no more huge one-person attacks," Montemayor said. "It's almost like organized crime. It's more of a gang. Hack it, get the data and sell it."