Four Ways YOU Can Ensure Cloud Security
In our last Cloud post (Cloud Computing Risks and Rewards) we discussed a number of Cloud risks related to security:
- Data location (Do You Know What Your Data Is Doing When You’re Not Looking?)
- SAS70 and PCI Compliance
- Data protection (IDS, IPS, firewall, etc)
These risks don’t “demonize” the cloud – but rather raise some critical questions regarding the protection of company data that’s migrated to cloud servers. The security of the cloud is still a bit (forgive the pun) cloudy to most – and may integrate well with existing security policies, protocols, and infrastructure.
Christofer Hoff – who offers excellent cloud perspective in his blog Rational Survivability -
claims it’s not the nature of cloud computing businesses should be worried about, but rather how companies implement and manage cloud computing.
“We’re struggling less with security technology solutions (as there really are few) but rather with the operational, organizational, and compliance issues that come with this new unchartered (or pooly chartered) territory,” Hoff wrote in his post Security and the Cloud – What Does That Even Mean?
Hoff’s quote pinpoints the simple source of our worries: we’ve developed a standard for IT security and compliance that’s being disrupted by something new. The question now is not whether companies should migrate to the cloud. The question is how our existing security methodologies will translate and apply to cloud computing. Since no industry standard for cloud security compliance has been adopted, organizations must steer their own ships as they sail toward cloud solutions.
Four ways organizations can retain appropriate data security as they implement elements of the cloud:
- Policy reviewing. A few thorough reads of your cloud provider’s policy will likely explain the rights they reserve to store and protect your data.
- SAS70 and PCI Compliance. As we said in our last post, SAS70 and PCI compliance policies may uncover details that aren’t specified in service agreements. They’re standards for cloud peace of mind.
- Choosing a public, private, or virtual private cloud. Public clouds allow secure employee access to company data from any system anywhere. Private clouds are more costly, granting access from company systems or systems within the company’s LAN network, providing greater control over data resources and security. Virtual private clouds use a public cloud infrastructure in a private /semi-private manner, providing more balance between cost efficiency and security.
- Leveraging ITIL methodology. ITIL offers a one-size-fits-all starting point for IT methodology. As more business adopt cloud applications, businesses will have opportunities to apply ITIL methodology to a new generation of computing.
Filed under: Cloud Computing, Information Technology Infrastructure Library (ITIL), Tips and Tricks | 3 Comments
Tags: Cloud Computing, Compliance, IT, IT Security, IT Service Management, ITIL, ITIL Implementation, Security, Tips and Tricks
Christian,
Long time, no speak (remember ERCOT? No. Oh well ;->). Nice post…cloud…something I have been thinking about for some time and reading up on. Attended Deloitte presentation from cloud guru/evangelist/worshiper…geesh, what conviction! It left me with my same feeling about all new, shiny IT things…”needs more research before jumping on the bandwagon”. After all, wasn’t SOA supposed to take over the world? ;-> You’d have thought so if you just listened to the “all in” evangelists. I will follow up on your links to get a better handle on the security issues which I think are the obvious ones that attract the most attention. I also think whether or not to (or what to) migrate to “the cloud” is still a reasonable question. I don’t think that it will make a lot of sense for certain segments of entities. It may come down to a matter of degree (testing infrastructure – yes, medical records – no). Can you trust others with your data when you cannot even trust your own people and infrastructure 100%? I guess yours and others’ links and posts will provide other ways to frame the arguments (or define what arguments to have!).
Thanks and continued good luck.
Eric Noack
Hey Eric, so good to hear from you.
How could I ever forget ERCOT? I think I aged at an accelerated rate but also gained experience at an equally if not greater rate.
Regarding trust – well, seems we’re supposed to trust certifications and audits more than anything (SAS70, etc) and of course, there are SLAs. But I do agree, the security of data is paramount – it can’t be breached (no matter what) and has to be available/portable. We’ve (Praecipio Consulting) been operating very much in the cloud since we got our start and have had great luck. In much part due to the quality of our service providers and my personal experience with them in one facet or other over the past 12 years. I say 12 years because I have been hosting websites and email with service providers such as intermedia… As you mention, some things should and shouldn’t be hosted/run on the cloud. Very dependent on the sensitivity and criticality of the system in question. The discussions and arguments will be interesting.
Thanks for commenting. Hope to run into you sooner than later.
Christian
Interesting article.
“The question now is not whether companies should migrate to the cloud. The question is how our existing security methodologies will translate and apply to cloud computing.”
The Cloud computing concepts promises IT companies a better platform for better efficiency and better customer service, but it’s not without its own security risks.