Three Best Practices for Evaluating Cloud Security

paulblart_Cloud_Cop2In 2016, security concerns continue to be one of the largest barriers to large scale cloud adoption in the enterprise. Whether their concerns are misguided or not, many CIOs and CISOs simply aren’t comfortable with putting their data in the cloud.

I can sympathize—despite the convenience of cloud computing, it can be a bit scary to think of all your corporate data floating around somewhere you can’t see. But cloud computing is one of the fastest growing segments in IT, and it’s here to stay. Dragging your feet isn’t going to help you or your enterprise keep up with the increasing demand for automation and agility in modern IT.

For years, the cloud computing industry has been working hard to assuage customer security concerns, and today most cloud solutions are as secure as (or more secure than) on-premise infrastructure—especially when considering ‘complete’ offerings such as a managed cloud or a platform as a service (PaaS) solution.

With an on-premise infrastructure, it can be a full-time job maintaining security compliance, updates, and patches. Your business may not have the time or human resources to cover all your bases, and every patch and update missed is a new security risk. With PaaS, or IaaS (infrastructure as a service) running third-party security solutions, managing your risks can become a whole lot easier.

But not all cloud solutions are created equal— especially when it comes to security. With that in mind, here are three considerations you need to take when evaluating cloud security.

Does this solution have logging and reporting capabilities? 

Proper cloud security requires extensive logging. A secure cloud solution has the capability to provided detailed logging of management actions performed through the platform control interface or through APIs. Users should be able to access log data in  the user interface as a reporting function, and should have the ability to view logging data in real time. If you are using a cloud solutions without logging and reporting capabilities, I strongly suggest integrating a third party solution.

What kind of Identity and Access Management capabilities will I have? 

Identity and Access Management (IAM) is a critical aspect of cloud security. A secure cloud should have firewall rules based on user identity that allow specific users to access specific sets of compute resources.

A solid cloud IAM solutions—native or third party— should include granular role-based access controls and single sign-on capabilities.

To learn more about IAM solutions, check out Solutions Review’s Identity and Access Management page for news, best practices, and buyer’s guides.

How is API Messaging secured? 

An application programming interface (API) is an interface that allows the user to access information from another service and integrate this service into their own application. allowing you to integrate your cloud-based application with various other systems.

In a public IaaS cloud, APIs are an essential tool of the trade, but like any IT component, APIs are vulnerable to attack and must be secured. APIs in the cloud need to be resistant to playback and man-in-the-middle attacks. To achieve this, a CSP or third party can provide an authentication mechanism that limits issuing of API commands to authenticated endpoints only.

Jeff Edwards
Follow Jeff

Jeff Edwards

Editor at Solutions Review
Jeff Edwards is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large.He holds a Bachelor of Arts Degree in Journalism from the University of Massachusetts Amherst, and previously worked as a reporter covering Boston City Hall.
Jeff Edwards
Follow Jeff