Organizations are going down a more collaborative route when it comes to investing in their future. Companies everywhere are looking at cloud as a serious future investment, and will have to re-think the way their businesses are structured in terms of processes, architectures, and practices to emulate those of leading cloud providers such as Amazon, Google, or Salesforce.com.
Cloud has been a game changer for enterprise information security efforts. The abundant and rapidly increasing use of cloud services in the enterprise space along with the diminishing boundaries between and enterprise data centre and the cloud have introduced a number of new cloud computing security concerns that organizations didn't have before
Along with the cloud, API-driven architecture is taking centre-stage with its pragmatic benefits to organisations. Not only can this help automate interactions between customers and partners, it can harness the creativity of third party developers for ingenious uses and add-ons to the existing applications, as well as help organisations interact through business.
With both these services evolving and becoming increasingly important, businesses need to invest in designing systems and architectures that will align and integrate with the services, of which security concerns are an important need. According to a survey by EY, 46% of the projected spend by companies will be directed towards security improvement innovation and expansion. The same report shows that an alarming 62% of organizations have not yet aligned their information security strategy to their risk appetite or tolerance.
Organizations looking to embrace cloud infrastructure need to apply a comprehensive strategy to cloud security, not just a piecemeal approach. A new enterprise security architecture is needed that will:
- Enable distribution of security controls to span across the ‘elastic compute power’.
- Automate security and compliance monitoring in a scalable and portable manner across both traditional datacenter and cloud environments.
- Address both data at rest and in motion and create minimal resource impact across environments.
Some of the security measures that businesses can invest in are:
- Doing an evaluation of the Cloud Service Provider’s (CSP’s) security by means of an independent audit, or validation of its audit report.
- Implementing an update of vendor risk management policies to now include data retention, data residency, RTOs, RPOs and SLA penalties, among others.
- Using a layered authentication model for critical applications and segregating internal and external user credentials.
- Using additional perimeter security like IPSEC or VPN when inter-connecting to the enterprise applications, especially if you are working with a mission-critical application that needs to integrate with other business applications.
- Deploying encryption and secure key management instead of, or in addition to, the ones provided by the CSP.
- Ensuring transparency of security operational processes in order to help prevent potential data breaches and security incidents.
- Creating increased visibility in logging and monitoring.
- Achieving a balance between security and performance.
But what can they do about API management and security? API-driven architectures are leading the way for organisations to interact with each other and form business connections, but they are also making them prone to cyber attacks. In 2012, German tech site “The H” proved how easily WhatsApp could be hacked into using freely available tools. API-driven development, therefore, has to ensure a much stronger degree of robustness – you can’t trust clients to independently implement scalability, data validation, error handling, and, crucially, API security. Therefore, the introduction of a service mediation tier with robust security, authentication and authorization capabilities is essential. Layer7 technologies also provide industry leading solutions around API security and management.
Overall, security concerns cannot be taken lightly especially when it comes to the more collaborative technologies of today. Is your organization doing enough to counter threats?