Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Security Reviews Critical to Cloud Migration

Organizations appear to be getting better at understanding the security implications of moving to the cloud through their review processes, according to a new report.

Organizations appear to be getting better at understanding the security implications of moving to the cloud through their review processes, according to a new report.

According to CompTIA’s Trends in Information Security report, the percentage of companies saying they consider security-related subjects such as data retention, encryption, regulatory compliance and identity and access management when reviewing cloud service providers has gone up during the past two years.

“The distribution is also fairly tight, with 40%-60% of companies saying they always review each area,” the report notes. “Businesses are recognizing the importance of conducting reviews and the breadth of issues that a review should cover.”

Jim Reavis, CEO of the Cloud Security Alliance [CSA], told SecurityWeek that companies should first look inward and understand the specific business function they are putting in the cloud.

“This may not always entail a full risk assessment, but understanding the sensitivity of the data related to the business function, the risk appetite and other security-related service level objectives will help provide the security context companies need when selecting a provider that is a good match,” he said. “Many companies use CSA’s Consensus Assessments Initiative Questionnaire and Cloud Controls Matrix to assess their own maturity and prioritize their own requirements, then use these same documents to assess the provider. The advantage is that providers are typically already familiar with these standards and will be able to turn around responses more quickly. They may already have the answers publicly posted in CSA STAR [Security, Trust and Assurance Registry].”

Going through the process of understanding security requirements and reviewing cloud providers can drive internal changes as well, the report adds.

“Forty-eight percent of companies say that they have changed company policy as a result of changing views on cloud security, and 41% have built additional security features into cloud-hosted applications,” according to the report. “Moving to the cloud does not just require additional security measures to close gaps that exist in the cloud provider, it also requires changes to application architecture and business workflow, and these changes often prove more challenging to implement than system migration.”

Even with a review however, many companies find security issues still exist. Following an initial cloud migration, many of the companies acknowledged making a secondary move for security reasons, such as moving from a public cloud to a private cloud (36 percent), moving from a public cloud to an on-premise system (31 percent) or moving from one public cloud provider to another (30 percent), the report notes.

“Secondary migrations imply that there are some lessons being learned following a migration that could have been avoided with a proper review of a cloud provider’s policies,” according to the CompTIA report. “Again, this review requires that a company understand its own security requirements up front, but once that understanding is in place, a thorough review of potential providers can help avoid confusion or additional work.”

According to Reavis, many larger companies today have hundreds of cloud services, so they clearly have built some repeatable processes around provider engagement and onboarding. Still, he said, there is significant progress that needs to be made.

“I wouldn’t say that providers are bending to demands more, but they are more often meeting in the middle on compatible approaches to a shared responsibility for security,” he said. “A good example of this is with identity, where providers and customers have made progress in making systems compatible with SAML, to allow a secure exchange of identity authorizations rather than duplicating user ids and passwords across multiple systems.”   

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Orca Security published details on four server-side request forgery (SSRF) vulnerabilities impacting different Azure services.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...