By Christopher Stark
Last month, Gartner published a press release highlighting its top predictions for IT organizations and users for 2016 and beyond. In the release, Gartner includes the following finding as its 10th prediction:
“Through 2020, 95 percent of cloud security failures will be the customer’s fault.”
I agree, but I think there is a component missing from this finding. I believe that cloud security failures caused by customers will be closer to 98 or 99 percent, but the ultimate responsibility and blame is on the cloud service provider that doesn’t ensure security for their customers and teach them best practices. I say this because from my experience, I do not think customers aren’t careful, don’t understand security or aren’t trying to protect themselves. The customer just needs to reinforce best practice fundamentals.
My three top issues affecting cloud security moving into 2016:
1. Forgetting One of the Three Levels of Security
In my experience, the majority of security breaches are caused by human error, due to an issue with hardware, software or overall security practices. These encompass what I call the three essential levels of security: physical, logical and methodological. Strong physical security includes armed guards, biometrics, pre-approved clearance and restricted access. Optimized logical security incorporates firewalls, virus protection, intruder prevention, encryption and user-defined permissions. And “methodological” security considers the human factor and confirms every manual process is approved by multiple cleared users. Errors or hacks can occur at any level, but it is the third level, or methodological level, that can cause the most issues. If the cloud provider doesn’t address best practices, such as proper password selection, with its customers, there is a huge risk. Security is only as strong as the weakest link so implementing safeguarding programs, maintaining continuous testing, and providing ongoing security education is key.
2. Hacking Made Easy = Weak Usernames and Passwords
The most common security breaches occur when customers choose simple username and password combinations, share login information with other users, or use the same login information across multiple platforms. These breaches can easily be avoided if the cloud security methodology of stronger login credentials is passed along to the customer and if the cloud service provider equips its customers with proactive or alternative login solutions.
A number of providers are implementing a two-factor authentication (2FA). 2FA components are something that the user knows and something that the user possesses that are inseparable from the user. For example, a strong username and password combination and a unique code sent to the user’s cell phone via SMS text or app notification. 2FA removes single access to the program, server or desktop, making it a safer alternative.
3. Managing the Cloud: Who is Responsible?
In the release, Gartner also states that “the characteristics of the parts of the cloud stack under customer control can make cloud computing a highly efficient way for naive users to leverage poor practices, which can easily result in widespread security or compliance failures.” This brings up the discussion about the overall management of the cloud, between the customer and cloud service provider, and who is best fit to implement cloud security measures.
Some customers are still afraid to provide their cloud service provider with full management of their systems because they feel they are losing control and are vulnerable. However, with control comes risk. An outside vendor can protect their customers from current and future security breaches by regularly testing, implementing and updating the infrastructure. For a customer to do this themselves internally would take precious hours away from daily operations. Limiting an individual user’s access to various programs or folders, based on his or her role within the company, also enhances the security level among systems. These are basic security best practices that cloud service providers can ensure are in place in cloud-based solutions along with various other measures.
Moving into 2016 and Beyond
Innovation seems to have grown exponentially in the last decade; technology has progressed so much that security is still trying to keep up and will continue to be the primary focus for IT organizations and users alike. Customers are getting smarter; they know what they want and can ask the right questions to achieve their desired results. Just remember, there is not one silver bullet to solve security issues, but you can better protect yourself and your system from hacks and breaches if you are educated about best practices in security protection. Gartner Press Release, Gartner Reveals Top Predictions for IT Organizations and Users for 2016 and Beyond, October 6, 2015, http://www.gartner.com/newsroom/id/3143718