The Cloud is nowadys a key tool for CIOs/IT Services Director, thanks to its flexibility, the cost reduction made and time-to-market improvements. 85% of companies in the private sector have adopted it (IDC 2016 figures).
For companies that have their business application in the Cloud :
Security is obviously the main concern identified by decision makers as to the use of Cloud in business context (source State of Cloud Report 2016 - BetterCloud).
According to a 2017 study for LinkedIn among 2,200 companies using the Cloud :
69 days on average were needed to find the security incident, 7 days to resolve it and 43 days for the investigations to be done.
Nevertheless, the implementation of the security can have a very important impact on the budgets, the delivery delays of the solutions and the agility. These three criteria helps us see the advantages of the Cloud over the software On Premise..You need to be extremely careful on the perimeter and the levels of security desired, at the risk that the ROI of a use of the Cloud is not what you were expected.
An essential phase is the knowledge of the data of the company and their classification by level of confidentiality. This step will allow you to know which data can be outsourced, under which conditions and which will remain On Premise.
The legal constraints and laws may change, according to the type of data (personal, financial, industrial, commercial, public data, etc.). The data can also be subjected to different regulations (GDPR, CNIL, ANSSI, PCI-DSS, avoid the American Patriot Act,etc.). These constraints can then impose the choice of your Cloud Provider (eg French with a datacenter in France).
Depending on the data to be outsourced and their associated constraints, several types of Cloud are available: public, private and hybrid (mix between public and private Cloud). The use of an hybrid Cloud will limit the efforts of security for the public data (public Cloud), secure the more confidential data (private data), while allowing to keep a link between the two worlds.
Type of Cloud used in companies - Source RightScale 2016, study among 1060 companies
The implementation of the Agiles and DevOps structures broadened the prerogatives of the development teams and helps with the controls. Train your developers to secure their code from the start can greatly reduce the risk later (eg Open Web Application Security Project).