The days when most companies completely shied away from using cloud resources for highly sensitive data or applications have passed, and for good reason. Today, cloud providers may offer better cybersecurity protections than many companies can provide on-premises. But you need to know what to look for in a cloud provider.
The security professional shortage
Some 3.5 million cybersecurity jobs are unfilled globally, with 750,000 of them in the U.S., according to researchers at Cybersecurity Ventures. This drives up wages, making it both expensive to hire security professionals and difficult to retain them.
Cloud service providers (CSPs) often have an edge in that regard. Given the nature of their business, costs for security are baked into the business model. They know how damaging a cybersecurity incident can be – the annual IBM/Ponemon Institute Cost of a Data Breach report puts it at $4.88 million in 2024 1– and thus take the necessary steps to reduce cyber risk. That includes both paying market rate for quality expertise as well as offering ongoing training in cybersecurity to existing employees.
Any company is likewise interested in avoiding security incidents and takes reasonable steps in that regard. But if security is not fundamental to your business, it’s difficult to compete for rare security professionals with those companies for which it is.
Defense in depth
How the CSP attracts, trains, and retains security professionals is certainly an issue to raise when vetting providers, along with the company’s overall security strategy. Adherence to a defense-in-depth strategy should be front and center.
Defense in depth involves having multiple layers of security protections; if any single layer is breached, there’s another standing in the way of would-be intruders. In practice, that could mean firewalls protecting the cloud perimeter, then identity management tools (authentication, authorization, accounting, or AAA) to ensure only authorized users are allowed in. Intrusion detection/prevention systems (IDS/IPS) can detect when an intruder succeeds in breaching those systems, while application security tools prevent unauthorized access to specific apps.
Closely related to defense in depth is a zero trust architecture, where the cloud company basically assumes all potential users are unauthorized until they prove otherwise, using various AAA measures including multi-factor authentication. (Zero trust can also apply to other cloud infrastructure, including servers, databases, and applications.)
Third party certifications
Finally, ask prospective cloud providers which third-party security certifications they’ve earned.
“Certifications including SOC 2 and ISO 27001 require in-depth audits and are a testament to sound security practices,” said Jason Bright, a product marketing manager with Hyland, an enterprise content management company that has earned both certifications. “Hyland is also part of the Cloud Security Alliance and has achieved the STAR certification and the Trusted Cloud Provider elevation.”
Hyland last year launched a Trust Center to provide transparency to customers regarding how information is stored, processed, and protected. Trust Center is also a repository of controls, policies, certifications, audit reports, and third-party attestations that provide further proof of Hyland’s security posture. Customers can view and download SOC 2 attestations, ISO 27001 and TX-RAMP certifications, a due diligence package (including SIG documentation), and information on how Hyland enables customers to achieve compliance with GDPR, CCPA, HIPAA, and other regulatory data privacy frameworks.
Such measures are indicators of a company that takes cloud security seriously and invests in reducing risk for clients. As cloud services continue to play a larger role in enterprise IT strategies, IT leaders would do well to pay attention to how well their providers can back up their cyber security claims.
To learn more, visit Hyland.
[1] “Cost of a Data Breach Report 2024,” IBM.com.
Read More from This Article: 3 Keys to ensuring your cloud provider offers a sound cyber security strategy
Source: News