Dispelling the vapor around cloud security
May 9, 2012
Data security keeps chief information security officers (CISOs) up at night, and with new computing models such as cloud, the stakes can be perilously higher. The possibilities of data loss, data leakage, service downtime, regulatory constraints, and risk of intellectual property theft create a treacherous risk environment. These security issues illustrate the significant hurdles a business must clear before adopting cloud computing. Any organization considering a move to the cloud must carefully assess what applications and data it can migrate to a cloud environment because cloud computing may not be appropriate for all business processes.
Organizations must carefully examine the capabilities of any potential cloud services provider. Security, compliance, availability, and scalability are all factors that must be thoroughly evaluated before embarking on the journey to the cloud. At the same time, it is important to consider the financial viability of the service provider. A business does not want a service provider to disappear the month after it moves its processes into the cloud. In today’s harsh operating environment, adding value and increasing efficiency are imperative. Cloud computing has matured to the point that it can be a secure, viable, and highly effective approach. But without careful planning and consideration of market concerns, the gains can be overshadowed by the risk exposure…
Security considerations differ, depending on whether you use a public or private Infrastructure as a Service cloud offering. What’s the difference?
In the private cloud, you own and run everything — from layer 1 (the hardware and the building and the physical security) to layer 8 (the “political” or “human factor” layer). You are completely responsible for the entire security stack with the Private Cloud Infrastructure as a Service deployment.
In contrast, when you use a Public Cloud Infrastructure as a Service provider, you share the security duties. There are components of the Infrastructure as a Service offering for which the Cloud Service Provider (CSP) is responsible, and there are things for which you as the customer are responsible. The demarcation of security responsibilities between you and the cloud service provider should be well understood, clearly defined, and explicitly agreed upon.
Demystifying cloud security myths
Myth 1 – The Cloud is inherently insecure
The cloud environment can be absolutely secure — in fact, it can be even more secure than your own data center or IT infrastructure. A key advantage of third-party cloud solutions is that a cloud vendor’s core competency is to keep its network up and deliver the highest level of security. In fact, most cloud service providers have clear SLAs around this.
In order to run a cloud solution securely, cloud vendors can apply for becoming PCI DSS compliant, SAS 70 certified and more. Undergoing these rigorous compliance and security routes can provide organizations with the assurance that cloud security is top of mind for their vendor and appropriately addressed. The economies of scale involved in cloud computing also extend to vendor expertise in areas like application security, IT governance and system administration.
This makes the case for an enterprise hybrid cloud model very compelling, where the same common security standard can be delivered across both public and private environments without compromising enterprise-class requirements or costs.
Myth 2 – Coud is a new concept; hence security is a challenge
There’s a misconception that cloud is a new technology and, therefore, cloud security is a brand new challenge that has not been addressed. Although, it is true that the cloud represents a brand new target for attack that hackers love to go after, but the vulnerabilities and security holes are the same ones that exist in traditional infrastructure.
In fact, today’s cloud security issues are much the same as any other outsourcing model that organizations have been using for years. What enterprises need to remember is that when you talk about the cloud, you’re still talking about data, applications and operating systems in a data center, running the cloud solution. In fact, virtualization of IT infrastructure can make the cloud more secure than the physical environment and an investment in virtual security can provide the needed control and visibility for cloud.
Myth 3 – Compliance means security
Many enterprises believe that being compliant ensures that their systems are secure and invulnerable to attacks. However, compliance does not ensure security, but only attests to the state of security at a specific moment in time. Compliance standards are reliant on human adherence to policies and procedures and not on automation. This can lead to errors and misjudgment. In the long run, equating security to compliance —and vice-versa — can put the business at risk.
Myth 4 – All clouds are created equal
While the cloud can absolutely be as secure as or even more secure than an on -premise solution, all clouds are not created equal. There are huge variances in security practices and capabilities, and you must establish clear evaluation parameters to make sure any solution addresses your security policies and compliance mandates.
Changing realities
While security emerges as a major concern among the barriers to the adoption of cloud computing, the key to understanding security in cloud computing is to realize that the technology is not new, or untested. It represents the logical progression to outsourcing of commodity services to many of the same trusted IT providers, we have already been using for years.
Organizations that approach cloud computing in a mature manner need not be worried about the security concerns that surround cloud computing today. And there are steps you can take to make cloud security just as effective (or even more) as your internal IT.
In the end, the question that needs to be answered is not if the cloud is secure but whether the service provider you have chosen to outsource your IT infrastructure to, is offering you a secure cloud environment.