| | March 201519CIOReviewand the Federal Information Security Management Act (FISMA). Many also have the capabilities to enable regulated organizations to deploy solutions that meet industry standards like the Health Insurance Portability and Accountability Act (HIPAA).Is your sensitive data safe in the cloud?It seems clear that service providers have developed and implemented these advanced security practices and undergone certifications to convince organizations that even their most sensitive data and mission-critical workloads are secure in the cloud environment. It's a strategy that seems to be working: More companies--even those operating in highly regulated sectors like financial services and healthcare--are putting mission-critical workloads in the cloud. The fact that more companies are entrusting cloud service providers with critical data and workloads is encouraging progress. What's worrisome, however, is that many businesses still do not have a security strategy for cloud computing. According to our annual security survey, only 48 percent of organizations have a cloud security strategy. And just 50 percent say they perform security risk assessments on third-party vendors like cloud service providers.Clearly, a well-designed strategy and disciplined due diligence should be implemented before any data or workload is entrusted to a cloud provider. A sound cloud strategy begins with identification of business goals and alignment of those objectives with the benefits of the cloud. Next, organizations should carefully assess which applications and data are appropriate to move to a cloud environment. The business must know what data are subject to regulations and controls like those included in HIPAA, the Gramm-Leach-Bliley Act, PCI DSS, and the Sarbanes-Oxley Act, to name a few.Organizations should also rigorously assess cloud service providers for appropriate security controls. A few of the considerations include assurance that the cloud environment is appropriately c o n f i g u r e d , patched, and m o n i t o r e d . Workloads should be protected by firewalls, intrusion-detection systems, and denial of service solutions. Employee access to customer data should be restricted and continuously monitored, and the provider should have plans to protect against the actions of negligent or rogue employees.Just because more businesses are putting sensitive data in the cloud doesn't give every organization the green light to do so. It's an individual decision that should be very carefully considered and discussed. In some cases, mission-critical workloads and intellectual property may still be safest in the locked-down confines of the enterprise. Similarly, regulated data like payment card information and healthcare records should be sent to the cloud only if the service provider has security controls that match or surpass those required by the organization and its regulators.Increasingly, however, we believe that top-tier providers are creating ecosystems that are safe for sensitive data. They are building security and agility into the core fabric of the infrastructure which allows for an entirely new class of defenses that are possible only with the game-changing properties of the cloud. While traditional information security concerns are still applicable and addressing them is essential to develop a leading cloud strategy, we would argue that not only can the cloud be secure, it also can be one of the safest places to store your data.More companies--even those operating in highly regulated sectors like financial services and healthcare--are putting mission-critical workloads in the cloudDavid Burg
< Page 9 | Page 11 >