The march of cloud computing is unstoppable. Enterprises in all sectors are adopting the cloud for almost every type of workload. It’s estimated that by 2020, 83% of enterprise workloads will be executed in the cloud. The benefits of cloud are inarguable, but enterprises should remain aware of cloud computing security issues and compliance hurdles.

Challenges specific to cloud computing

As McKinsey stated, the changes in how enterprises use technology have made corporate environments harder to protect while increasing the importance of their protection at the same time. When digital data becomes more extensive, businesses are expected to become more ‘open’ and connected, even though the cybercrime landscape evolves year after year.

Cost-saving, flexibility, mobility and security, to some extent, are forcing rapid cloud adoption. A focus on Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) allows organisations to adopt smooth digital transformation and shorten the time to market. Supply chains are also becoming more sophisticated and interconnected. That means responsibility is shared with a vendor, but accountability is still on the business itself.

Deploying cloud technology inevitably implies a loss of control in some respects. When it becomes harder to know exactly what data you even own, asset management, vulnerability and incident management become more challenging.

As always, awareness of the challenges involved is key to reducing cloud computing security issues and compliance exposure:

Vendor risk. Before cloud adoption enterprises enjoyed expansive control over on-premise IT equipment, vendor risk was limited to firmware and software updates. Cloud implementations imply far broader vendor risk. Cloud vendors are responsible for everything from network security to regulatory compliance, and it is challenging for clients to verify the assurances put in place by vendors.

Data regulations. Enterprises that handle personal and financial data face stiff penalties for violating data protection requirements. Regulations such as GDPR mandate that data is controlled and protected to a high degree. It is easier to comply with data regulations when data is stored on-site or on equipment controlled by an enterprise. Data in the cloud is a different matter altogether.

Credentials and data leakage. Utilising the cloud implies that a wider range of parties will have access to enterprise data, from a wider range of locations. Controlling access rights become more difficult once physical barriers are removed, but handing data to an independent third party automatically implies a loss of control.

Mitigating cloud computing security issues and compliance challenges

While it’s pretty easy to scale to the cloud from a technological perspective, proper governance needs to become a top priority, including compliance, risk management, vendor management, proper data classification, access control and change management.

It is impossible to extinguish all technology security exposures from a closed, on-premise computing platform and it is even more challenging to do so in a cloud environment. However, risk mitigation can be effective in reducing the opportunities for loss, harm or noncompliance to minimal levels.

Once your enterprise is aware of the unique cloud computing security issues and compliance risks that enterprise cloud computing poses, it can take mitigating actions:

Measure your risk exposure. Every enterprise adopts cloud computing in a different shape and form. Public clouds can be more cost-effective than a private or hybrid cloud, but they involve relinquishing more control over security and compliance aspects. Similarly, opting for Software as a Service (SaaS), instead of IaaS, combined with your own software, implies less direct control over the software environment. Choose the solution that matches your and your client’s risk tolerance.

Risk-profile your vendors. When using cloud computing, enterprises should remain vigilant against vendor risk. Consider questions around ownership, vendor sustainability and security practices. However, these questions should also be asked of the vendor’s partners as cloud risk management also implies managing risks at the weakest link.

Rapidly learn from failure. Cloud security breaches are constantly in the news, and in many cases, the attackers found brand-new exploits. Wise enterprises will rapidly learn from the mistakes of others and ensure cloud computing practices are quickly adapted to guard against rapid changes in the security environment.

Tightly manage user behaviour and credentials. The cloud is easy to use, accessible and open. Users should be educated in good security practices, while enterprise IT management should insist on inconvenient but effective practices such as two-factor authentication. Also, user credentials should be managed with extreme care: cloud credentials are effectively the keys to the premises.

Get to grips with data compliance. In taking advantage of the cloud, enterprises should strongly focus on the detailed terms of service and ensure that public clouds, hybrid clouds and SaaS/PaaS meet local and international regulatory standards. Understand where your data is stored and ensure that you only work with cloud vendors that practice the required compliance regimes.

From the compliance perspective, you will rely on your vendor’s capabilities to provide data security, resources and workloads. Make sure you've covered the essential aspects from your side as well: