As more companies move to cloud-based services, security in the cloud is becoming a greater concern. How can you make sure your company’s sensitive data is protected while still taking advantage of the convenience the cloud offers?

What is the Cloud?

First, we need to understand exactly what we mean when we talk about the cloud. Confusingly, the term can be used for very different things. People may be referring to the public cloud, to a private cloud, or to a hybrid of public and private.

A public cloud is one that is accessed by multiple users and organizations. With a public cloud, providers offer applications and storage via the internet to the general public. Lower cost is the main advantage of a public cloud. Limitations include security concerns for sensitive data.

A private cloud is accessed by only one organization. While a private cloud can reduce security concerns and offer the opportunity to customize for an organization’s needs, it also involves the additional costs of development.

A hybrid cloud, obviously, is a mix of public and private, allowing organizations to use different solutions for different needs.

To take advantage of cloud services effectively, organizations need to be aware of their needs. For example, companies that deal with health information or financial, or other sensitive data will want to avoid storing that data in a public cloud.

What Issues Do Your Company and Your Employees Face?

One of the greatest difficulties faced by employees is cumbersome security requirements. For example, according to a July 1015 study done by Dell, approximately 85% of users are faced with the need to have and keep track of multiple passwords for the different services they use on the job. Additionally, 82% of users who work remotely reported that they are required to use additional security measures. Ultimately, the study showed that 91% of users feel that their productivity is impacted by the steps they have to take to meet security needs.

The case of multiple passwords is especially worrisome, as employees tend to be focused on completing tasks over meeting security requirements. This can lead to disastrous workarounds, including using the same password for all cases, making a hacker’s job easy, or even writing down passwords and keeping them in poorly secured locations. If you’ve ever written a password on a slip of paper and “hidden” in under your keyboard, you know how easy it is to fall into the habit of workarounds.

However, most companies know that security has to take priority over ease of use. This makes sense, especially when dealing with sensitive customer data. How can companies balance these two competing needs?

What Solutions are Available for These Issues?

One promising approach is known as “context aware” security. This approach involves varying levels of security requirements depending on different factors. For example, a company might require only a standard level for a user whose geographical location is in California, but place additional scrutiny on a user logging in from an Eastern European country. This is a more sophisticated approach than those available in the past, which would either allow all users to log in easily regardless of geographical location, or would subject all users to intense scrutiny regardless of location.

More generally, encouraging IT professionals to move away from a “silo” approach to security will alleviate the need for multiple passwords. In the “silo” approach, new features are added to systems independently of each other, without much thought given to how each addition will interact with old features. In the short term, a quick and easy way to provide security in this environment is to require users to create a new password each time they need to be given access to a new feature. But in the long term, this is costly in terms of encouraging users to get around security with risky workarounds. Taking the time to have a coherent overall plan for adding new features will minimize this risk.

Yes, it’s all going to the cloud, which is better than “to the dogs.” And yes, you have to make sure your cloud environment is secure.

You need to confront some hard realities about cloud security because the cyber landscape continues to be unforgiving. It doesn’t matter whether you’re protecting traditional computer systems, your mobile platform or the cloud itself. Simply put, organized cyber crime and cyber espionage continue to grow in sophistication. Any new hackable platform is red meat for them. Opening massive breaches that harvest critical data is their day and night job. News headlines make that clear that the aggregate total of global cyber crime damage now rivals that of many nations’ annual gross domestic product (GDP).

First reality: Organizations spend considerable time and money securing their on-premises infrastructure. That’s good. The problem is maintaining that same high level of security when outsourcing to the cloud. Security delivery requires a cloud provider’s undivided attention. Yes, there are built-in security tools, but you will not get the key to any strong security posture—24/7/365 threat monitoring, analysis and response—or “managed security service.” These are humans watching out for you. You must know what’s happening on the cloud in real time and be able to respond very quickly. You need people to manage this, even if you have automated capabilities as part of your cloud security. The “cloud” doesn’t do it on its own.

(Related: An interview with Brendan Hannigan, IBM GM Security Systems Division)

Second reality: Repeat after me: “My cloud will be breached.” Take a deep breath. Say it one more time.

Remember, just because you’ve been breached doesn’t mean an attacker knows where to go once they get in your system. If you identify the attack quickly you can prevent him or her from getting to your critical data.

So, review your incident response plan for cloud security. What, you don’t have one? Okay, review the plan you have for your premises infrastructure.

If you still have a blank look, gather your team and start putting a response plan together—fast. How you handle it is crucial, particularly the speed of your response. Sophisticated attacks often show no upfront “symptoms” but can quietly devastate your business over time. The longer it takes to resolve an attack, the more costly it becomes.

Prevention starts with an incident-response plan and mock exercises to test the plan. Get an experienced provider to try and hack your cloud. Find out your vulnerabilities. Most important, make sure you have a team ready to move quickly and decisively if you suspect your cloud has been attacked.

Third reality: Last but maybe most importantly, get smart about “security intelligence.” Your cloud systems, along with your other IT platforms, generate billions of security events each day from firewalls, emails, servers and the like. It’s simply not possible to manually sift through this data and find evidence of suspicious behavior. Beyond the costs involved, it’s confined to figuring out “what happened” rather than “what will occur.”

When applied to security data, big-data analytics tools can be transformative—the tip of the spear in security intelligence and response. Analytics can provide automated, real-time intelligence and situational awareness about your infrastructure’s state of security to help disrupt the attack chain.

Say that two similar security incidents take place, one in Brazil, the other in Pittsburgh. They may be related. But without the intelligence needed to link them, an important pattern—one that could indicate a potential incident—may go unnoticed.

You need this capability, and providers like IBM are stepping up to make it the ultimate reality.

Stay safe.