Technology / #DSCloud16: Firms must take an evidence-based approach to cloud security
#DSCloud16: Firms must take an evidence-based approach to cloud security
15 June 2016 |
In the face of new regulations and increased penalties businesses must make sure more than ever before that they take an evidence-based approach to choosing a cloud provider, according to an expert.
Speaking at Data Security in the Cloud 2016, Daniele Catteddu, chief technology officer at the Cloud Security Alliance, said firms need to face up to the prospect of the cloud, which is now an unavoidable part of business.
"Cloud is going to be your first choice whenever you are going to buy IT services," he said.
Catteddu highlighted the "treacherous 12" top threats to cloud computing, which were led by data breaches, compromised credentials and insecure APIs.
"Insecure APIs are very high on the list because that is the main point of contact between providers and customers, really," he explained.
In future, businesses will have to deal with the new General Data Protection Regulation and Network and Information Security directive along with increasingly sophisticated cyber criminals, he said.
“This calls for a new approach to governance and security,” Catteddu said. “This means a new approach based on collecting information… It means a move from trust based on feelings to evidence-based trust.”
This means cloud service providers must make co-operation a priority, sharing incident information and being transparent about their controls and security measures.
“From that point of view, there is clearly a communication gap that needs to be addressed,” said Catteddu. “There is no question about that.”
He explained that a lack of transparency has so far given some providers a competitive advantage, but that trust is becoming more important for clients.
Catteddu advised firms to “place the big rocks first”, understanding and assessing risks, identifying their requirements, enforcing their basic security and monitoring, auditing and certifying providers.
“We have seen a lot of projects failing because of a miserable exercise in collecting their requirements,” Catteddu said.
The European Union’s new General Data Protection Regulation will both clarify cloud security, but increase the stakes for businesses needing to ensure they are compliant with regulations, he said, so it is more important than ever before that they get cloud security right.