Debunking the myth: A secure cloud is possible!!

5 07 2012

Let’s face it, cloud computing is the “big thing” in IT today. Many companies are reaping the benefits of cloud computing (i.e. “the cloud”): simplified management, rapid scalability, and reduced capital expenditures [1]. Other companies, however, are hesitant to “jump on the bandwagon”. The two main concerns that these companies have are SECURITY and AVAILABILITY. The belief is that cloud computing cannot provide that same level of security, control, and availability as an “on-premise” datacenter because the span of control belongs to the cloud provider (instead of the company itself). This is the first misconception of cloud computing: the consumer has no insight into the “behind the scenes”. The next misconception is that the consumer has no ability to influence the decision-making of the cloud provider. Lastly is the misconception that the cloud vendors do not want to do anything (i.e. since they are the “middle man”, they need not take proactive measures to protect your “piece of the cloud”). We will examine each one of these misconceptions, and see whether they hold true, or whether they are being debunked.

Physical Security

The first area of concern is physical security. Companies believe that since they do not “hold the keys”, they do not have any control over the physical security of their data (within the cloud). This can easily be debunked by including documented procedures and procedures for Access Control, Information Security Management, and Physical Security within your service agreement/contract [1]. Furthermore, a consumer should inquire in to how the provider insures the policies & procedures set forth (i.e. user training, policy review & audit procedures, and change management policy) [1]. Even further, one may review the internal deployment processes & procedures to see how IT assets (hardware, software, etc.) are installed, configured, and tested prior to deployment [2]. The old saying “knowing is half the battle” certainly holds true. The more that a consumer knows, the “easier” they will feel (especially in the areas of security).

Application/Data Security

Your data is your most valued asset. You want to ensure that your data does not fall into the wrong hands. It is important to understand your data and its sensitivity/classification, and how this impacts your vendor’s cloud design. Will your data be stored encrypted within the cloud? Will it be stored in “isolation” (i.e. completely segregated from other data within the cloud)? How does the application access/store/manipulate/delete/archive your data, and are secure tools used to do so (such as HTTPS/SSL and/or VPN for In-transit encrypted communication, Encrypted data storage devices, etc.) [2]?

Infrastructure Design

The design & implementation of the cloud provider’s data center(s) should be one of your top concerns. Are all components (Hardware, Software, etc.) highly available and fully redundant? What are the data retention/deletion/archival processes & procedures? Am I at risk for data breach because of these [3]? Is my company’s data truly segregated from your other clients? The IBM Cloud Security Approach is to “Secure by Design” [4], what design/implementation approach has your cloud vendor followed? The use of virtualization, both for networks (i.e. VLANs) and application/database tiers (i.e. VMWare) has become a blueprint for many cloud providers today [5]. What technology is your provider going to use and why? Keeping in mind, “one size does not fit all” [4], what is your vendor doing to ensure that they meet your specific needs (i.e. do they need to change their design, infrastructure, process/procedures, etc.)?

The list of questions that one should ask goes on and on (see “Questions to Ask” section in the article “Securing the Cloud From the Outside-In” [1]). The important thing is that your fully understand the design & implementation of “your cloud”, and that it meets your needs

Influence & Control

Some may say that this is all well and good, but how do I have any say in what my cloud vendor does? The key lies within your service contracts, more specifically, your service level agreements (SLAs). SLAs used to be simple: simply state the basic services needed and maybe include some “uptime” requirements. Now, SLAs have become more in-depth, providing exact detail for which services are required, which level of security is required, and including financial penalties for incidents, outages, data breaches, and so on. It is these financial penalties that are the main “motivating factor”. The customer never wants to have to collect these penalties. They want stable, available, and secure services provided to them. So they make these penalties so distinct (and costly), that it becomes the best interest of the cloud provider to ensure that they never have to pay them. Another motivating factor is business growth and publicity. These vendors want to attract other clients (increase revenue), they do not want negative publicity (such as a data breach) because this drives away business (not only new business, but also their existing clients).

Conclusion

So, it is possible to get secure & available services from the cloud, we just need to ask the right questions and provide the right level of detail within the service contracts. Cloud vendors are highly motivated to ensure that their solutions are secure & highly available. Cloud computing offers many enticing benefits, coupled with the debunking of myths pertaining to security and availability, these benefits may outweigh any perceived risks and provide the solution that consumers are looking for.

[1] Hamilton, Mary Beth. “Securing the Cloud From the Outside-In”. Wall Street and Technology. 21 Mar 2012. Web. 18 Jun 2012 <http://wallstreetandtech.com/articles/232602908>

[2] Strom, David. “How Secure Is The Cloud?” Tom’s Hardware. 22 Dec 2010. Web. 18 Jun 2012 <http://www.tomshardware.com/reviews/cloud-computing-security,2829.html>

[3] Rubens, Paul. “Ensuring Data Security in the Cloud”. eSecurityPlanet: Security Trends. 11 May 2011. Web. 20 Jun 2012 <http://www.esecurityplanet.com/trends/article.php/3933241/Ensuring-Data-Security-in-the-Cloud.htm>

[4] Coleman, Nick. “Securing The Cloud: Questions and Answers”. Wired: Cloudline. 12 Oct 2011. Web. 18 Jun 2012 <http://www.wired.com/cloudline/2011/10/525/>

[5] “Securing the Cloud: A Review of Cloud Computing, Security Implications and Best Practices”. VMWare White Paper. Web. 17 Jun 2012 <http://www.savvis.com/en-us/info_center/documents/savvis_vmw_whitepaper_0809.pdf>

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: