There is no arguing that the cloud has changed almost everything about how we do business today. This includes security. As organizations navigate the compliance and risk management landscape, the cloud has modified how they communicate assurances to their stakeholders.
Gerry Miller, Founder and CEO at Cloudticity, recently joined the HITRUST team to discuss the impact of the cloud on business compliance and risk. Catch the whole conversation in the podcast episode, Trust vs. Cloud.
Here are some key insights from that conversation.
Cloud enables agility
The biggest business advantage of cloud solutions is the agility they provide. When New York was hit hard by the pandemic, the State approached Cloudticity to build a data lake and support its contact tracing program. Cloudticity built it in six days. Within six weeks, the hard-hit state used the technological solution to become the first green, safe zone during the pandemic. The rapidly deployed cloud solution enabled transformational impact and helped the state save thousands of lives.
Cloud security can still be compromised
Despite the acceleration in security capabilities and trust enabled by the cloud, breaches can still happen. In such cases, the cloud is not the problem. The problem is a lack of understanding of how cloud services are secured. A lack of knowledge or experience in cloud security can lead to compromise. The techniques that work in a traditional data center do not meet the security requirements of cloud-based solutions. Investment in understanding and using new security approaches is critical as organizations move to the cloud.
Security in the cloud is different
Cloud infrastructure generates a tremendous amount of telemetry data, which has a lot of security value. However, managing the increased volumes of data is a challenge. Companies once relied on humans monitoring screens and trying to identify anomalous patterns. Now, the cloud allows telemetry monitoring solutions and AI-based responses to detect issues and manage systems. Organizations adopting cloud-enabled infrastructure automation can use the wealth of data it provides to monitor and maintain their security.
Human error can expose data in a traditional data center or in a public cloud. However, data exposed in the cloud is more likely to be visible online. When an organization maintains its data in the cloud, it must understand how security is shared across the system. The cloud service provider (CSP) is likely only responsible for protecting the infrastructure and the cloud services but not the security configuration of the services that protect an organization’s sensitive data. Just as organizations must ensure that they have the right security measures to protect their data, it’s critical that they understand the shared responsibility they have with their CSPs.
The good news for organizations working toward HITRUST certification is that major CSPs, including Microsoft, Amazon, and Google, are HITRUST certified. They support shared responsibility and inheritance of controls. Customers of such CSPs can use shared responsibility definitions to select and inherit already defined controls from them. This improves consistency and streamlines security certification for organizations.
Assurance updates are essential
When organizations treat compliance as an annual, check-the-box activity, their data is subject to evolving risks. This makes it necessary for organizations to update their assurance regularly. Security compliance takes ongoing commitment and consistency. HITRUST continues to mitigate risks by evaluating upcoming threats and making relevant updates to its controls.
The cloud enables businesses to do more and work efficiently but comes with new risks. As organizations continue through their cloud adoption journeys, their data and cyber security approaches must evolve. For additional insights on cloud security, listen to the full episode.