Kleber Melo, President of the (ISC) ² Advisory Council for Latin America
The use of tools in the Cloud and Hybrid Cloud has reduced companies' costs in an unprecedented way, and stimulated their growth worldwide. Several surveys reveal that the Cloud is here to stay, which makes it important to analyze the most efficient measures to control and mitigate risks, such as invasion threats, attacks, leakage of sensitive information and unavailability of services.
Cloud security is a major concern for IT managers around the world. Estimates indicate that more than 70% of them do not trust traditional data protection techniques. In addition, the Cloud Security Alliance (CSA) reveals that only 16% of organizations have fully implemented policies and controls for using the Cloud. The same CSA states that 80% of companies with more than five thousand employees are unable to inform how many Cloud applications are used by their professionals.
The Cloud model adopted also interferes with the control of infrastructure, applications and databases. According to the Crowd Research Partners Threat Report, 62% of people find it more difficult to detect and protect internal threats than external attacks. The situation is even more complex, since the main failures are the responsibility of the users themselves, with only 38% of the organizations having a security policy with rules and responsibilities defined for data protection.
Risk situations are still very recurrent, since many companies believe that the security of cloud data is the provider's responsibility, or consider that access control measures limited to users and passwords and data transmission encryption protect stored data or processed on servers in the Cloud.
Almost always due to lack of investments or due to the lack of trained professionals, safety is relegated to a lower priority, and those responsible believe that the sporadic analysis of logs or occurrences reported by users is sufficient for measures to contain losses or incidents.
An effective implementation of policies for protection and access controls considers the following actions: mapping of the services used by users independently; criterion in offering privileged access; implementation of authenticated session control with expiration for time and inactivity; identity management integrated with Human Resources and third party processes; identification of the type of access, location, time and profiles to avoid harmful behavior and possible loopholes in the controls; protection of stored and transmitted data by means of encryption to prevent the exposure of data not only in transmission but also in its storage.
According to the Crowd Research Partners' Threat Report, 47% of companies are unable to detect internal attacks or fail to measure detection time, with 43% claiming that incident response times are up to one week.
As it is impossible to protect against unidentified threats, active security monitoring through Data Loss Prevention (DLP - Data Loss Prevention), Security Information and Event Management (SIEM - Information Security and Event Management) solutions and Secure Enterprise Content Management (SECM - Content Management of Secure Companies), among others, must be implemented for success in the detection and protection of information. Even better if the solution is integrated, with infrastructure monitoring, data movements and applications, considering the context and the usual behavior of all users involved.
The considerations in this text are not intended to exhaust the topic of security in the Cloud. There are many other important points to consider, from the infrastructure to the application development criteria for Cloud, which have different characteristics from the traditional IT model.
For this reason, (ISC) ² together with the CSA (Cloud Security Alliance) developed the CCSP - Certified Cloud Security Professional certification, which brings invaluable value to professionals who want and need to deepen this knowledge. The CCSP certification is a clear indication of the potential of this market and I am sure that those who seek it will be ahead, standing out in an increasingly competitive job market.