There’s a strain of conservatism among certain IT professionals — the enthusiasm for all things new and innovative is tempered by skepticism about security challenges and other issues. Part of this is simply the nature of our industry. After all, it’s our job to anticipate risks and develop creative ways to mitigate them. However, this type of caution also leads to the kind of broad thinking and blanket statements that ultimately do little to address individual security challenges on an organizational level. Broad skepticism is particularly prominent when comparing cloud security vs. traditional networks. Many IT professionals view cloud security as a more risky proposition.

One of the reasons for this is simply exposure. As more data is migrated online, more security breaches will occur. Because many of these breaches have been high profile — involving the personal data of customers from several major retailers — it speaks only to the fact that the enterprise workloads of organizations of this stature are increasingly being moved to the cloud.

The question we should be asking is not whether there are more security challenges in cloud computing, but instead, how we can refine our individual security postures to manage risks more effectively. Recent breaches at Target, UPS and other organizations should serve not as cautionary tales of the cloud’s insecurity, but as examples of how poorly designed and implemented systems can put big data at risk.

How to Prioritize Cloud Security Compliance

It’s clear that there are security benefits to moving to the cloud. When moving to the cloud, try to move outside the security lens of traditional IT. After all, new methods of working demand new approaches to security. Here are three things to consider when adjusting your security practices and priorities for the cloud:

1. Define problems early. Cloud security is similar to solving a complex problem, and the best way to begin that is by clearing defining your objectives. Make a list of your security and compliance priorities and challenges, and start from there.
2. Access control is essential. One thing that is often forgotten when talking about cloud security concerns is that the location of your stored data is nowhere near as important as who has access to it. Establishing authorization and access controls — including implementing the principle of least privilege — is the best way to manage risk and limit the possibility of a breach.
3. Prioritize vulnerability testing. Vulnerability testing is an important ally in cloud security management. The more rigorous testing your system undergoes, the better equipped you’ll be to design and implement proactive security controls.

Using these ideas as a starting point, you can manage risks more effectively and position yourself to enjoy the benefits of the cloud without compromising your critical assets.

The “Notorious Nine”

Together, the above concepts should inform and guide your approach to staying safe in the cloud. With that in mind, what is the specific challenges cloud users face? And how can you overcome them? In 2015, the Cloud Security Alliance published The Notorious Nine, a paper detailing the key threats that cloud-based systems must protect them against. These threats include:

• Data breaches, which typically result from a flaw in an application’s design or other vulnerability.
• Data loss as a result of a malicious attack, an accidental deletion or a physical problem in the data center.
• Account hijacking, including the use of phishing, fraud, or social engineering to obtain a user’s private login information.
• Insecure interfaces, as cloud services depend on APIs to provide authentication, access control, encryption and other key functions. Vulnerabilities in these interfaces can increase the risk of a security breach.
• Denial of service attacks, in which a malicious actor prevents users from accessing a targeted application or database.
• Malicious insiders, such as employees or contractors, who use their position to gain access to private information stored in the cloud.
• Abuse of services, which involves hackers who use the limitless resources of the cloud to crack an encryption key, stage a DDoS attack or perform other activities that would not be possible with limited hardware.
• Insufficient due diligence, which is one of the most neglected threats against a cloud network. Failing to properly anticipate the risks of working in the cloud, or rushing the migration process, can expose organizations to considerable amounts of risk.
Shared vulnerabilities, including platforms or applications accessed by different users in a multi-tenant environment. In these rare scenarios, even a single vulnerability can have monumental consequences.

Interestingly enough, the main concerns of individuals who are hesitant about the cloud are not included on the above list. Having physical access to your servers is unlikely to prevent any of the listed threats, and the possibility of a catastrophic loss or data breach is equally likely regardless of the maturity of the standards being employed.

By changing approach to reflect the realities of the cloud, and prioritizing security in the ways suggested above, it’s possible to enjoy all the benefits of moving to a SaaS platform without risk.