Discussions about the cloud typically center around a few benefits: scalability, flexibility and cost-efficiency. But when it comes to the negatives of leveraging cloud services, there is only one standout: security.
Cloud security woes often top the list of concerns with the technology, and that is particularly evident in the retail and payments space. After all, organizations that must collect payment card data are usually considered the most at risk with respect to cyberattacks and data breaches. That information is valuable, and hackers will stop at nothing to collect their paychecks. As a result, many businesses that handle payment data fear the cloud. They believe that if that information leaves their sights for even a minute, cybercriminals will gain access to it – and no brand wants to experience the reputational damages that inevitably follow data breaches.
But what if corporate leaders and decision-makers heard that those cloud security and privacy fears are completely unfounded in fact? Would that cause a massive shift in data safety perceptions? Then it'll certainly be surprising to learn that the cloud is inherently more secure than on-premise data centers.
"Cloud service providers are better at IT security than the average organization."
Surprise! The cloud is secure
Just ask the research firm Gartner. Writing for the Smarter with Gartner blog, Jo Bennett explained that cloud service providers are usually more able to maintain and manage "effective security systems and platforms" than the average organization. It's because companies that offer cloud-based solutions have a lot of clients relying on them. Beyond that, cloud providers know that hackers are after them – cloud systems, especially ones hosting payment data, are extremely valuable to cybercriminals. Cloud businesses must have the ability to protect that information or no one would work with them. As a result, they have strong cybersecurity protocols and practices.
IT leaders are slowly but surely starting to realize this. According to a survey conducted by the Cloud Security Alliance, just under 65 percent of IT managers and executives believe that "the cloud is as secure or more secure than on-premises software." These individuals have done their due process to not only evaluate the security practices and technologies of cloud service providers, but they've seen first hand how difficult it is to implement and support cutting-edge data protection processes and systems within their IT environments. Securing digital assets isn't a core competency for retailers and other businesses, yet cloud companies must maintain the best security solutions on the market.
In fact, the strong security aspect of the cloud is inspiring more organizations to move their payment card data and other IT systems to cloud-based environments. Data Center Knowledge contributor Mario Duarte cited multiple experts who reported "a permanent shift is happening." Businesses simply cannot invest the funds required to upgrade their legacy security infrastructure, while other companies likely lack insight into how they can best protect their payment card data and other sensitive digital assets.
More secure than on-premise
If organizations think they're capable, they're probably wrong. Gartner forecasted that 95 percent of "cloud security failures" until 2020 will be caused by cloud users – not providers. The source explained that "the secure use of public clouds requires explicit effort on the part of the cloud customer." In other words, leveraging the cloud doesn't immediately mitigate the risk of a data breach.
The biggest problem is that organizations don't know where their data protection and privacy responsibilities begin and end. This sentiment is echoed throughout the payment space and beyond, as experts from a variety of sectors frequently offer advice for establishing a clear understanding of what cloud providers are handling with respect to data protection and privacy.
"For Platform as a Service (PaaS) the underlying application environment or database should be secured by the provider but any application or service installed on top by the client will need to be secured and patched by the client," said Richard Blanford, managing director of Fordway, told Information Age contributor Chloe Green.
Furthermore, software as a service security responsibility falls onto providers' shoulders, "but authentication to the service and data transfer between service providers should be the main priority for customers," Green wrote.
Probing for answers
Cloud customers should work with their providers to determine best practices, but at the end of the day, it's still cloud users' responsibility to ask the right questions – and there are a lot of specifics. For example, where data is stored can affect data protection legality. As Blanford explained to Green, compliance requirements are different across national borders, and therefore, it's critical to gain insight into data centers' physical locations. Organizations must be sure they are securing data according to the laws of the country in which their data is hosted.
Beyond legal questions, businesses must inquire as to the specifics of their cloud providers' security practices. Dark Reading Partner, Jamie Tischart of Intel Security offered some recommendations as to what to ask:
- What are data access protocols?
- Are cloud providers certified and by whom?
- Do they practice isolation?
- Most importantly, is encryption used?
"In the past 4 years, the finance industry has adopted digital cryptography technologies."
Turning to encryption
When it comes to the cloud, and IT security in general, it doesn't get better than encryption. This fact is recognizable given the recent news surrounding Apple and the United States Federal Bureau of Investigation. The FBI cannot crack Apple's encryption, and as a result, it's asking for the tech company to construct a workaround. Without choosing sides, it's pretty clear that encryption is great at securing sensitive digital assets, especially payment card data.
Defense Systems cited a report that was released at the recent RSA security conference, and it said that the finance industry has been increasingly taking advantage of digital cryptography technologies in the past four years, particularly in cloud-based IT environments – and that category of encrypt tech includes tokenization, a technique that replaces data with "tokens" that obfuscate the true nature of information.
It's time to dispel the myth that the cloud isn't secure. This misinformation is preventing the payments sector and corporate world at-large from adopting more cutting-edge approaches to data security and privacy. In the coming months, cloud security perceptions are certainly expected the shift, and then, more organizations will be willing to host their sensitive data in the cloud.