I have been in the security space for many decades. Although security technologies and processes have vastly improved, it seems that we are losing the battle as more and more data breaches are reported in the news. The wide adoption of the cloud has added to the concern for most enterprise risk officers. Due to increasing risk, favoring business efficiency over security — especially when dealing with cloud services — is no longer an accepted approach.
I’ve had the opportunity over the past 18 months to talk to over 100 different enterprises that are looking for advice and recommendations on how to control risk as they move applications and data to the cloud. As such, there are several common topics that inevitably come up. Although others in the industry have different ways to address the various concerns, depending on their focus or motives, I want to share my thoughts pertaining to the most common questions. I will write several blogs over the next few months that address some of the following questions and considerations:
- Does encryption really protect my cloud data?
- Is all encryption equal? Should I encrypt at the disk, file, storage or application layer for now and the future?
- Why should I control the encryption keys?
- Should I force devops to use an external encryption key management services or should I just monitor their activity?
- Security team vs Lob. The love hate relationship when dealing with data security in the cloud.
- As I migrate enterprise services to the cloud, should I look at SaaS or PaaS from a security risk perspective?
- Are public cloud data security controls sufficient?
- Why should I be concerned with managing my data security policies in a single pane of glass?
- What is the big buzz around secrets management and will it become a reality?
Although the listed questions represent most inquiries, it certainly is not an exhaustive list. I welcome comments and or additions to the list. We need to all collaborate with our ideas and motivations if any of us have a shot at keeping a balance between business efficiency risks and data security risks on premise and especially in the cloud.
Have questions? Leave a comment below, check out Thales cloud security page, and/or tweet me @rjkcasl. I also recommend you keep an eye out for my next blog, part of a series I’m writing.