More and more business applications are migrating to the cloud. But outside the corporate, we face new risks. Learn how to protect mission-critical applications in the IT cloud. Five years ago, hardly a company was interested for the security of business software. The concerns generally related to security gaps in data, the applications themselves were barely in focus. But since more and more software companies are moving to the cloud, this view has changed progressively, as the cloud offers new opportunities for attack. This means that the security awareness and the demands on the expertise of the developers to make applications secured has increased.
Six Steps for Cloud Security : More Risks are on the Internet
With the increasing digitization of all companies and industries we need to take the risks to access through the Internet, but often lack the very basic implementation of security measures. For corporate data in the public cloud, the risk is high and also the increasing use of mobile devices during the bring-your-own-device trend (BYOD) prepares headache to IT managers of many companies. These smart devices have a completely different safety profile than traditional desktop PCs. In the mobile infrastructure it puts a double risk :
- The device itself has very low safety standards
- And in addition the non-secure radio communication is a popular target.
In addition to the data, the actual business software can be a source of danger. By hosting in a public cloud, new attack scenarios can arise. By outsourcing critical business processes to the cloud, all the dangers that exist on the Internet – viruses, trojans and bots addsup. In the worst case, a whole company stands still without any sign.
Business Software, however, is generally not designed to protect against such risks. Therefore, it is much more important for the company to answer the question – how or what data and applications are moved to the cloud and how they are adapting to the risks there. Are companies the following six steps, they reduce the risk for data and business software significantly without sacrificing the benefits of the cloud.
Six Steps for Cloud Security
Step 1 : Pay attention to security certificates
The increasing awareness of the customers for the security of business software software, providers are aware that their products can be amplified to test for vulnerabilities. Users should therefore pay attention to safety evaluations by third parties.
Step 2 : Take business software under the microscope
If software vendors do not keep safety certification despite promises, they may be liable. But if the provider can not be identified, such as in open-source components, the user assumes the risk because he has used the software independently. This problem is acute. Architectures consist of several components, which are developed by different providers or contain open source modules. An assessment of this risk can be accomplished with the help of public databases, in which the risks of open source components are listed.
Step 3 : Separate Data by Relevance
Basically, companies should worry about what data and applications which can be usefully be outsourced to the cloud and what is better on-premise, should remain with the company. If it is non-critical information, using a cloud stands in the way way of privacy. For sensitive and critical data, however, the question arises whether an interface is attached to the cloud. Two things have to be observed: With business software from the public cloud providers usually provide the advanced interfaces, which should be individually configured by the user to ensure that only non-critical data are connected to the Internet. In addition cloud service providers can be blamed for the responsibility, because basically they are responsible for the security of the data.
Step 4 : Encryption of Critical Data
Through the service level agreements (SLAs), a provider will be held liable for the damages caused by vulnerabilities. However, even if the cloud provider promises the highest safety, always a residual risk remains. To solve this problem, it is useful to encrypt critical data before they are outsourced to the public cloud.
Most companies do not want to miss the advantages of cloud computing. Processing of the data only in the public cloud is meaningless, because that would require a decryption in the cloud, which would cause the encryption process absurd. Critical data should therefore not be edited using Business Software from the public cloud. Currently, only a third of companies encrypt data, eliminating it justify the other two thirds with increased effort and encryption-related performance degradation.
Step 5 : Secure Mobile Devices
With the increasing use of smart devices in the corporate environment – especially when it comes to the BYOD trend and the development of business software, apps mobile devices are also a safety hazard. Because if an app accesses the Internet, the data delivers a possible way to attack. Therefore, to protect vital additional services the device have to be divided in two “security zones” and make a smart device virtually in to two devices. The private zone is not secured and quasi-public. Where the apps are installed. In the second zone, the corporate zone, by contrast, can not run applications. This secure area will have available a “hardened” operating system and critical data. Because the user can communicate only by the secured zone with the company, the communication protocols there are also associated with the company. Even if the employees use their own devices at work, companies can implement this security strategy, provided they develop a corresponding policy. In practice, such additional services will be used only hesitantly because they increase the complexity of a device.