Growth Customer Experience Productivity Business IQ Trends Success Stories Tech Solutions Subscribe Tech Enquiry
Tech Solutions

Securing your cloud: 5 essential steps

Smarter Staff
Smarter Writer

This article has been written by the Smarter Business™ Staff Writers

Smarter Staff
Smarter Writer

This article has been written by the Smarter Business™ Staff Writers

Whenever your business needs to share or store information online, you must check the security of each component before you start moving data.

It doesn’t have to be daunting, as long as you understand and implement appropriate strategies to secure your data in the cloud. Here are five steps worth taking to keep your information secure.

man monitoring server Cloud security is essential for businesses of all sizes.

Own your own data and processes

Cloud adoption raises important questions about responsibilities: when it comes to security work, which responsibilities belong to the tenant (the user of the cloud service) versus the cloud vendor?

Before you enter into any arrangement make sure you have a clear understanding of your rights as a tenant. Here are just some of the considerations to keep in mind:

  • As with leasing physical space, you need to know the full layout of the storage unit

  • Determine which data security measures are provided by the vendor for storage and which you’ll need to provide for transfer and access

  • Maintain clear architecture documentation that describes your system components and the interfaces between them

  • Be proactive in your security procedures so you can respond to any assessment task and rectification work required.
Find out how Telstra cloud disaster recovery solutions can help your business.
Find out more

Define your scope

Cloud cannot be defined as any one single product or service. There are clear distinctions between the different classes of cloud products on the market, plus some blurred lines.

Different cloud components come with their own (sometimes markedly different) security concerns, therefore you need a different set of assessment skills for each.

A security audit of a cloud gateway, for example, might only tell you about the ‘network-as-a-service’ product used to simplify private and dedicated connectivity to any number of cloud vendors. It won’t tell you anything about the security of products behind that gateway.

Define your deliverables

How do you know if you’re spending too much or too little effort on checking your cloud?

High-profile service failures brought about by poor planning are frequent and painful reminders of how quickly everything can go wrong with potentially disastrous results. Plus, every time we see a news report of hackers making off with thousands of user details and passwords from a major brand (Sony, Ashley Madison and Yahoo! to name but three) we’re reminded that data security breaches can and do happen quite regularly.

Security testing can’t be pushed down a to-do list; it has to be consistent and constant. And security isn’t just about compliance. Compliance is only ever a snapshot of your security against a specific set of requirements.

Do the risks of outsourcing data and processes to the cloud outweigh the benefits? Often the answer is tied to how well prepared your organisation is to deal with security incidents. It comes down to how well you can mitigate issues and reduce risk. 

A major benefit of cloud is access to flexible infrastructure. But no vendor certifications are a substitute for defining your own security framework. Define your processes, deliverables and risk assessment. Through good management you can make great use of cloud products without losing control of your security architecture.

Monitor your PCI-DSS compliance

The security of customer data is vital for any business, but especially critical for businesses that need to handle payment data.

The Payment Card Industry - Digital Security Services (PCI-DSS) publishes a set of 12 guidelines, which are assessed during a PCI audit process. Even if full compliance is not required for your business (PCI-DSS compliance is not yet mandatory in Australia) you should still use self-assessment tools to examine your overall risk.

Compensation costs, legal fees, bank fines and damage to your reputation are only some consequences to consider.

PCI-DSS compliance should be an ongoing process, mot a one-off. In 2015, Verizon published a report showing that only 28 per cent of its surveyed customers were still PCI-compliant after one year. 

Consider IRAP assessment

Australian businesses that want an independent assessment of cyber security can access it via the Information Security Registered Assessors Program (IRAP).

IRAP was designed by the Australian Signals Directorate (ASD) to meet any level of security required by government departments, and any business can take advantage of free online resources including lists of cloud products that have been IRAP assessed.

The main materials supporting the IRAP framework are the Protective Security Policy Framework (PSPF) and Australian Government Information Security Manual (ISM). The ISM includes a handy “Executive Companion” for time-poor technology decision-makers.

IRAP is useful, but compliance frameworks are only tools. Security in the real world requires real effort.

Your tax dollars fund the ASD, which is tasked with providing high-quality current information on security needs, so take advantage of it!

If you ever need to commission an IRAP assessment, make sure to allow enough time, not only to conduct the review, but also to deal with any potential issues. Certified IRAP assessors deliver an independent assessment of your system, suggest how to mitigate any issues and also highlight any ongoing risks. 

Cloud services can provide amazing value for business. Cloud security is worth the effort. 

Indigenous community members participate in a BIG hART project.
Success Stories
Success Stories
The power of hART

2018 Tasmanian of the Year Scott Rankin developed an innovative community-based arts model combining creativity with social justice. He tells Lachlan Colquhoun how he’s using i...

Andrea Mason laughing while standing behind a Telstra Business Women’s Awards podium.
Success Stories
Success Stories
Share Your Story to Inspire Others with Your Achievements

For Andrea Mason, sharing her wealth of knowledge and specialised experience within remote Aboriginal communities allowed for new opportunities and positive reflection. A formi...

Belinda Tumbers holding her Telstra Business Women’s Award in 2017.
Success Stories
Success Stories
Driving Diversity in the Workplace

“Businesses need to have females who are strong role models to mentor other women coming through,” says Belinda Tumbers, managing director of Kellogg’s Australia and New Zealan...

Envato Co- Founder Cyan Ta’eed accepting her 2015 Telstra Business Women Award
Success Stories
Success Stories
To Achieve Success Be Prepared to Fail

Refusing to be discouraged by her previous failed business attempts, Ta’eed instead learned from them. As a result, the former Telstra Business Women’s Awards winner and co-fou...