You know a technology has become standard when an institution founded before electricity plugs it in.
Just look at The Hartford. The 208-year-old insurance company -- whose business is protecting against loss -- is embracing cloud computing, a technology that not long ago struck fear into both the IT and business sides of companies, regardless of industry.
Data architecture manager Asha Potdar is helping usher the Hartford, Conn., institution into the cloud, moving traditional applications there and building new, cloud-native ones. That's bringing on a plenitude of change, calling for new skills, new ways of coding, new ways of developing software.
But among the challenges Potdar faces in The Hartford's cloud journey, cybersecurity is the most acute, and it's holding up a major project.
"Now that we are opening to the public cloud, the connections that can come from public into our network are what we are trying to strengthen," she said at the Argyle 2018 CIO Leadership Forum in Boston on May 2. So the plan is get the right controls in place and "strengthen our networking capabilities before I can open up the cloud for production applications."
A handful of IT leaders at the convention gathered onstage at District Hall in Boston's booming Seaport neighborhood to address cloud computing security threats -- risks to users' privacy, for example, and users themselves -- as well as ways to manage them.
Privacy and cloud security
Cloud computing, said Jason Hayes, a principal at the Denver office of consulting outfit Point B, has grown so fast in recent years because "we really want access from anywhere, anytime for our mission-critical business applications, whether those are internal or external." And as vendors roll out new capabilities and companies tap them for more and more uses, new risks and threats are introduced.
One risk is to privacy, which depends on executing and maintaining good IT security, Hayes said. "Without security, we cannot offer privacy to our customers or even to our internal employees."
Today, the privacy landscape is changing. On May 25, the European Union's General Data Protection Regulation goes into force. The directive changes the way companies are allowed to handle the personal information of EU residents. "We can't just gather information on anybody anymore," Hayes said.
For IT folks, GDPR presents a thorny problem: guaranteeing they aren't keeping unstructured data -- things like messages and email and documents -- they aren't allowed to keep across file shares and other systems where data is housed.
"This is actually a threat to us in the IT space, because this is a major challenge to solve," Hayes said.
The biggest risk of all: Users
But the main cloud computing security threats are on the inside.
"Our biggest threat in the security space always has been and always will be our end users," Hayes said. The risk is that employees, typically without malice, will expose company data and information -- going to a Starbucks with a laptop, downloading illegal movies and stirring a zero-day threat, which makes its way past the company's antivirus software. "Then, they bring that back into the corporate office, and all of a sudden that malware has access to our corporate data."
Panelist Eric Barricklow, CISO at the New Hampshire Army National Guard, also said users are the biggest cybersecurity threat. His users, the men and women of the National Guard, are part-timers, working in the reserves a weekend a month or two weeks a year. "But they have full-time responsibilities. They are the decision-makers. So they often have to do critical business functions away from our enclave," he said.
"Trying to ensure that the data is used in the appropriate manner, the data classification and the data use, and ensuring that users don't inadvertently start to share that intellectual property, trying to maintain the nondisclosure agreements" are Barricklow's main concerns.
Cloud computing security threats exist also because of how the cloud works, Hayes said: Organizations' data is processed and stored in another company's data center.
"Unless you have strong vendor management practices in place where you're ensuring that your vendor is complying in their own way with the security standards that you've set, they are exposing you to a lot of risk," he said.
Losing information is not the only risk of not doing due diligence on vendors, Hayes said. If there's a data breach, an organization could be taken to court by affected parties -- for example, customers or partners. If it can't prove it has assessed and selected a vendor based on its internal cybersecurity standards, serious consequences can result.
Managing risk in the cloud
There are ways to manage cloud computing security threats, the panelists said. Hayes recommended adopting policy standards as laid out by the National Institutes of Standards and Technology or the International Organization for Standardization.
Such frameworks give organizations the opportunity to "self-assess, determine where your weaknesses are and give you some actionable steps to move forward," Hayes said. "That is just so critical when you move to the cloud and you're trusting somebody else with this information."
For visibility into what is happening in the cloud and what dangers are lying in wait, Barricklow suggested security information and event management services, which provide an analysis of security alerts sounded by applications and network hardware. Outsourcing such duties is important, because "it is virtually impossible for any organization to have enough IT staff of their own to really do that."
"If this is on your priority list -- getting out in front of the real-time threats on the internet," he said, "engage a vendor that that's all they do and they have a team, staff to do that full time."
A holistic approach
Panelist Tasneem Nipplewala, vice president of information security at Boston's Eastern Bank, said cloud computing security threats are best faced when IT and cybersecurity teams work not in isolation, but alongside the business. When they do that, they can ask important questions about the data that's moving to the cloud.
"Try to understand, OK, if this data is something really important, I'm going to add a lot of controls to it versus if it's going to be publicly available marketing brochures or materials, I don't need to put in so many layers of controls," Nipplewala said.
Getting the entire organization involved is important in creating a "culture of cybersecurity," Hayes said. The idea, gaining traction over the past few years, is security shouldn't be the province of IT alone.
"But rather that IT is creating education and empowering the end users, who have more visibility than IT will ever have into how things are actually working in the environment," he said. "And how we empower them to report issues, how we empower them to take action, how we empower them to make really smart decisions and help safeguard our information."
Whenever an organization contemplates cloud, though -- whether a SaaS application or a cloud infrastructure service -- the important thing is to have a mature strategy for properly handling all of the complexity the cloud involves, said panelist Alina Aronova, vice president of technology operations at Cengage, an educational publishing and services company in Boston.
"It's not just, 'It's a wonderful solution,'" Aronova said. "It adds another layer of complexity that has to be fully thought out as part of going into the cloud, not as an afterthought."