What do Apple, Amazon and Microsoft have in common?
The answer: All three technology giants, considered the gold standard among cloud computing providers, have suffered the ignominy of being breached by hackers.
Apple's "celebgate" incident exposed personal photos of its celebrity iCloud users and made unwelcome news headlines last year. UK technology provider Code Spaces was forced out of business last year after hackers tried to blackmail it and subsequently deleted crucial data from its Amazon Web Services-hosted cloud storage. In 2013, an expired SSL certificate in Microsoft's Azure cloud service gave hackers the chance to bring down the Xbox Live and a raft of other cloud-hosted services.
Cloud security risks are rising, with attacks growing at 45% year-on-year globally, according to cloud security firm Alert Logic. In the next five years, US$2 billion will be spent by enterprises to shore up their cloud defences, according to Forrester Research.
First time cloud users can be most at risk, simply because of unfamiliarity with the new environment and the added burden of having to grapple with a new way of managing users, data and security.
Here are five security must-do's before taking the plunge.
1. Know the cloudy areas
There are three main segments in any cloud deployment - the cloud vendor, network service provider and enterprise. Given that the cloud should be treated like an extension of the enterprise data centre, the question to ask is therefore: can a common set of security services and policies be applied across the three segments? What are the security gaps?
During vendor selection, ask the cloud vendor what security services it provides and which security vendors it works with. The cloud is a dynamic environment and requires regular updates to the security architecture to stay up with the latest threats. How does the cloud vendor guard against new security exploits and zero-day vulnerabilities?
Also find out where the boundaries are in the shared security models that come with the cloud service. Understand the extent of your cloud provider's responsibilities - and your own. In some cloud services, such as IaaS, it is the responsibility of the enterprise to secure its applications and data in the cloud. It is therefore important to know what security appliances and vendors the cloud provider offers/allows the enterprise to deploy in the cloud to do just that.
2. New apps, new fortifications
Ready to move an application into the cloud? Before you do, consider adding new fortifications to the existing security measures you have built around your application's authentication and log-in processes.
To fortify the access to your cloud application, you should have a granular data access scheme. You can do so by tying access privileges to roles, company positions and projects. This will add an additional layer of protection when attackers steal your staff's login credentials.
Sign up for CIO Asia eNewsletters.