As discussed in our last blog, even as more companies begin to explore the benefits of cloud computing, concerns about security continue to abound. It is true that the more familiar IT-decision makers are with the cloud, the more likely they will be to trust it. Yet companies and agencies should also remain engaged in their own application security. No matter where data is stored, a strategic website security plan is necessary.
Who should be responsible for security in the new world of cloud computing? It may be tempting for organizations to want to let a third party take the lead, but in the end, the organization itself will ultimately still retain most of the responsibility for assessing application security, regardless of where the application resides. Cloud computing or not, application security remains a critical component of any organization’s operational IT strategy.
Cloud computing will require renewed or increased focus from organizations that may have weak application security. Those with a strong application security program in place will find that little has changed, regardless of where data is stored. However, as companies move their information to the cloud, it can provide an opportunity to prioritize security on what is commonly acknowledged as the most exposed part of business: Web applications. Despite the awareness of this exposure, this area often remains the most seriously underfunded. One survey indicated that 18% of IT security budgets are typically allocated to address the threat posed by insecure Web applications, while 43 percent of IT security budgets were allocated to network and host security. The same survey showed that 67% IT managers believed their organization’s website security budget was underfunded.
Effective website security must involve careful thought and strategic planning and avoid reacting to issues as they arise on an ad hoc basis. Website security must strategically assess threats, and map those threats to the assets at risk and the organization’s tolerance for risk. A good website security plan seeks to limit windows of exposure to threats and ensure organizational responsiveness to incidents. No matter how perfect the plan, incidents will occur; the organization must be ready to respond appropriately.
Appropriate resources must be invested to achieve a solid level of website security. Justifying these expenses requires having the critical information necessary to demonstrate an organization’s current and ideal level of security. IT contractors and the organization must work together to understand and prioritize the most critical security risk.
Whenever there is a change from one infrastructure to another, it presents organizations with an opportunity to review security policies and procedures. Moving to cloud computing is a good time to revamp or implement new security policies and controls. Such reviews can also lead to a re-prioritization of budget allocations. The move to the cloud can be a great time to pull business, security, and IT teams together to develop a strategy and invest in security as an integral part of an organization’s plan.