There has been a lot of press and concern over the last few years about moving corporate data to the cloud and maintaining security. A recent article by CIO discusses a variety of things to look for and ways to address some of the concerns. Some organizations stay away from public cloud technologies altogether because they assume nothing is safe. They use virtualization and automatic provisioning internally, so they have trust of the technology inside their own datacenters. The concern is with trusting your information to someone you don’t control.
The CIO article discusses not just technical remedies, but legal and financial as well. When an organization creates an internal datacenter, it thinks about physical security, information security and people security.
Physical security addresses the location of the datacenter and methods to ensure that only authorized people can get into it. Once inside, a person could easily get access to a server, a hard drive or a network switch and disrupt someone’s business application by unplugging something. Redundant components, locked server racks and UPSs address many of these concerns.
People security comes down to who you trust. Have you vetted your IT personnel to ensure they are trustworthy? Having keycards and retina scans to limit access to a datacenter are of no value if your employees decide to do something malicious.
Information security is the most complex, since you have to worry about authorized access to your data. You need to have trusted authentication and access controls. Most of this boils down to usernames and passwords, although more organizations are using biometrics and 2-factor authentication with security tokens. Once authenticated, there are numerous access control mechanisms to ensure authorized access. Getting secure access to a system might involve a VPN and SSL.
The last piece is logging and auditing actions. This includes computer, network and data access as well as logs of physical access to your datacenter. You can’t control what you don’t measure.
These things are important for a public cloud provider, but there are additional concerns. The primary being you don’t have control of the physical environment and people. You have a contract with the provider for uptime, security and response times. You should be able to audit your provider for anything they guarantee. Using a third-party auditing service can evaluate the actual, and consistent, application of security standards, processes and procedures at a provider and compare them to the ones promised. Your agreements should provide legal and financial recourse if not maintained. Most providers have good SLAs and security, but you need to verify it.
The area that gets the most attention is the security of your data. Most providers give you an encrypted connection through SSL or VPN to get data into and out of the cloud. What happens to it when it’s sitting on a hard drive in their datacenter? Is the information physically separated, as many regulations require, or is it shared with other customers? Does the provider have encryption when stored? How about backup and data redundancy?
Using a provider’s encryption may be adequate, but it might be better to encrypt the data before you move it to the cloud. Applying a persistent security policy for documents, pictures, audio and video files guarantees that you are in control of the files no matter where they go. With all the data breaches in the news, people are worried that some cloud provider will get hacked and all there data is compromised. If you do the encrypting, you are safe. If the provider does it, who knows.
Moving information into the cloud requires the same security precautions as your own datacenter. You need to deal with third parties that you don’t control which gives some people pause. Ensuring that a cloud provider meets security requirements, like ISO 27000, and audit requirements, like SAS 70 Type II standards, should help reduce your risk. Encrypting your data before moving it to the cloud controls what you are actually trying to protect. Remember, you are still ultimately responsible for your information.
Photo credit IntelFreePress