Most organizations aren’t clear on what they, and their providers, should be doing to secure their cloud services, according to a new IDC report.
The report, “Cloud Security Responsibilities: 7 Questions Most Canadian Organizations Haven’t Tackled,” outlines the roles for organizations and service providers in securing cloud services, no matter which model they use.
“When you get engaged with a cloud provider, it’s a marriage. You have to ask the right questions up front,” said Jim Love, CIO of ITWC and host of a recent webinar, “The Connected Workplace.” The report and the webinar, part of a series, were sponsored by TELUS.
Canada is catching up on cloud
“Cloud is one of the key enablers for digital transformation,” said David Senf, Vice President, Infrastructure Solutions Group with IDC Canada. “There is a huge amount of change happening in our market.” The report shows that public cloud adoption in Canada has grown significantly over the past five years, approaching a total spend of $3 billion. “Canada is starting to catch up to the rest of the world,” said Senf.
There is also a shift taking place in the cloud economy. Canadians are not as focused on private clouds as in the past, said Senf, and hybrid models are becoming a reality. In particular, the pay-as-you-go model, Infrastructure as a Service (IaaS) is taking off, with 54 per cent growth in the past year.
However, with these flexible cloud models, the potential attack surface changes, said Senf, and not enough organizations have the right security practices in place. He noted that 35 per cent of Canadian firms fit into a “denialist” security profile. These are the type of organizations that spend more on technology, but end up with less security because they don’t set investment priorities based on business value.
The essentials in cloud security
Senf stressed the importance of a “back-to-basics” approach on security. If you do the basics, he said, “that will get you 90 per cent of the way there.”
“The first rule of thumb for organizations to secure their cloud services is to know their role, as compared to that of the service provider,” said Senf. The report provides a detailed checklist outlining who is responsible for securing each aspect of the service for every cloud deployment model, from Software as a Service (Saas) to hybrid models. From a broad perspective, physical security is no longer the client’s responsibility in the cloud. Rather, the service provider is responsible for protecting the server, storage, network and other hardware. “The checklist provides a useful basis for discussion with your service provider to ensure that responsibilities are clear for each party,” noted Love.
Secondly, organizations need to make sure they have a long term plan in place. They need to implement different layers of security depending upon the business value of the assets to be protected. “The risk assessment and ongoing review can be time consuming,” said Senf, “but it’s the only way to progress.”
Finally, Senf said, organizations must remember that they are solely responsible for the collection, use and disclosure of its data. “The data is always yours,” he added.
“Digital transformation is here and cloud is a fundamental component of that,” said Senf. “We want to embrace cloud in Canada and to work with our service providers to make sure it is as secure as possible.”
