For most industries, cloud services have already become part of the corporate infrastructure, either by design or, more often, by workers adopting cloud services without the approval of the IT department. Cloud-service assessment firm Skyhigh Networks, for example, adds approximately 500 cloud services to those that it already tracks, according to CEO and co-founder Rajiv Gupta.
"Employees are using cloud services almost with abandon, without assessing the risk of those services," Gupta says. For that reason, the security requirements will move front and center in 2014, he says. No wonder, then, that nearly half of all IT managers continue to be concerned about the security of their cloud resources, even though 35 percent believe the security of the cloud to be superior to on-premise deployments. One reason: Many cloud providers continue to fail to address the concerns of their clients, says Charles Burckmyer, president of security-service provider Sage Data Security, whose clients often work with the firm to assess the security of third-party cloud services.
"Clients need to build a structured approach to working with cloud vendors and have a process for creating permissible exceptions, assigning risks and mitigating that risk," he says. "Support around and by cloud services is vital for most clients today."
By opening a dialogue with their cloud providers, companies can create a secure hybrid infrastructure. Here are five topics that companies should discuss with their cloud providers in 2014, according to security experts.
1. Make security responsibilities clear.
Cloud-service providers continue to place the responsibility for securing business data on the client, while many clients assume that cloud services will take responsibility for the data stored in their services.
The gap in expectations narrowed in 2013 compared to previous years, but more than a third of customers still expect their software-as-a-service provider to secure the applications and data, according to a Ponemon Institute study released in March. Only 8 percent of companies assess the security of the applications using their information-technology and security teams, the study found.
While many industries have moved to the cloud without concern, security-conscious industries and those that have to comply with regulations are balking because cloud providers are not clarifying their risk, says Sage Data Security's Burckmyer.
"Cloud-vendor due diligence and understanding what your responsibilities are, as a client, and what your vendor is doing to support you in those responsibilities is a very necessary topic," he says. "There has been a reticence about moving to the cloud, from a regulatory and from a security standpoint, because many providers are not doing enough."
2. Design systems to provide meaningful log data.
Companies increasingly want to collect security information on what is happening to their data and applications out in the cloud. Yet many cloud providers do not supply detailed logs files or cannot adequately separate the events pertaining to one customer from those dealing with another.
"We need to make that the default standard practice, that there is a certain amount of logging information that is available proactively for all the different analytics that companies need to track," says Jim Reavis, CEO of the Cloud Security Alliance. "A big sore spot has been log file information, and that has been a sticking point."
[With cloud services collecting more data from businesses, firms should prepare for potential breaches that involve their providers. See Enterprises Should Practice For Cloud Security Breaches.]
Keeping audit logs of admin access is especially important, but most smaller cloud services do not provide such information.
3. Encryption needs to be pervasive.
Companies are not only demanding end-to-end encryption in the cloud, but increasingly asking for cloud providers to allow them to encrypt data on-premise before sending it to the cloud.
Cloud providers should not only work with their customers, but develop strong encryption solutions that allow the companies to be confident that their data is secure, while allowing some features to be preserved, says Sanjay Beri, CEO of cloud-service management firm Netskope.
"Encryption is the one thing that they, as an app provider, can do better than anyone in the middle," Beri says. "No one knows the app better than they do, and as long as they expose the keys to be managed by someone else, many customers will be very happy."
4. Alert users to anomalies.
Encryption, however, is not sufficient to protect a customer's data if an attacker has gained access to account credentials. For that reason, cloud providers must also maintain good anomaly detection systems and share the information and audit records from those systems with the client, says Skyhigh's Gupta.
"You need all these different tools to make sure that the cloud provider meets the customer's requirement," he says. "It is a layered approach."
5. Discuss protections from third-party access.
While cloud providers have to abide by the jurisdiction of the nation in which they do business and in which their data resides, the revelations about the massive data collection conducted by the U.S. National Security Agency and other nations' intelligence groups have left companies increasingly asking cloud providers about who requests data, how frequently, and whether the provider complies with the requests.
"It is very clear that providers need to help consumers understand how they manage and handle requests for information," says the CSA's Reavis. "Providers are not beginning to see that they need to put government requests are arm's length."
That clarity needs to extend to the ownership of the information as well, says Skyhigh's Gupta. Cloud providers need to emphasize that their clients' continue to own their own data, and be as explicit as possible about the provider's use of that data.
"How long do they keep your data? In some cases, they keep your data longer than you want them to, in others, they don't give you enough time to retrieve your data, if you leave the service," he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.