The Forecast for Security is Cloud-y | Part 2
In part one of this series, I examined the ongoing trend of cloud migration that most organizations have or will soon undertake. And I looked at it from the perspective of how to ensure the security of your cloud assets.
In part two, I delve deeper into the details around cloud security.
Fortunately, the leading cloud service providers take security very seriously. However, you can see in pretty much any cloud security survey, the biggest data breaches occur because of how customers adopt, configure and use the cloud. That’s what you need to keep an eye on. That’s where you need to be particularly careful from a security and compliance perspective.
You can have the best security technology in place, but if you create a user with full authorizations and give them a very easy-to-guess password, that’s a big security problem. Or, if you create an extension that will expose your data without requiring authentication, that’s another big problem. Cloud security is about so much more than just making sure the technology and applications stack have the latest patches available, in any cloud service module. You still need to perform continuous assessment and have the right level of visibility to prioritize how to maintain that technology stack. You need to make sure all of those settings, all of those users, all of those interfaces (and ultimately all of YOUR datasets), are secure and compliant.
And if your organization deals with sensitive data, every compliance mandate will say you need to apply security controls for the data, the processes and the technology that’s going to use those business applications. In other words, you’re going to have to show you have the right controls on top of whatever your cloud provider is doing.
Because of the complexity of all this data and these processes, organizations typically end up deploying hybrid full-mesh environments. These enable fully integrated data transmission and they’re typically very customized in the different ways that the technology will allow. You will have to make many changes and customizations to be able to adapt these technologies to whatever use cases and processes you are running. So, you must ensure that all the modifications you require to adapt business applications to your organization’s needs must be secure and compliant from the ground up.
That’s something Onapsis has been doing for 10 years. We started with a very strong focus on on-premises security. As we anticipated that organizations would be moving to the cloud, we initiated our cloud transformation and cloud adoption capabilities. We continue adopting all the new cloud solutions into our platform and service offerings so we can assure our customers have the right security and compliance controls. We want you to know you can perform due diligence about how your systems and processes are being controlled for both security and compliance, by putting a layer of governance on top of it.
Onapsis also works closely with the Cloud Security Alliance. We co-founded the CSA’s ERP Working Group. The group continuously releases new materials and new content to help organizations understand what they should be looking at.
Part of what the CSA tells you is that you need to do due diligence when you subscribe to a cloud provider. The CSA provides a Cloud Controls Matrix and a cloud provider questionnaire. Those resources help you learn what you need to know about how your cloud provider is running their business, so you have confidence in their security posture.
How do you as a customer make sure you have the right controls on your data and process, regardless of which cloud provider you’re using? Organizations are getting very good at becoming comfortable with their cloud providers, but they can still make mistakes when they adopt those services, which can lead to reputation-damaging data breaches.
Here are some questions to ask yourself when it comes to securing your business processes:
• How do I adopt the technology?
• How do I configure it?
• How do I set up the users, the authorizations, the access controls?
• How do I set up the interfaces and different layers that basically roll up to business risks?
• How can I prevent my business processes from being abused and ultimately become non-compliant?
Do I have the right visibility and continuous monitoring capabilities across all of my Cloud ERP Applications?
When you have solid answers for each of these questions, then you are well on your way to operating a secure and compliant business, on-premises and in the cloud.