Security concerns still make businesses nervous of the cloud. Whilst companies are aware of its benefits – speed of deployment, scalability, capital expenditure savings, flexibility and technological innovation offered by service providers – reservations and scepticism still remain.
The fear is understandable– businesses typically like to be able to see and touch their own servers and know exactly where their data is being held, whereas cloud services are by definition intangible. Businesses are unsure how safe it is – so much so that a 2012 LinkedIn survey revealed that 54 percent of IT decision makers cite data security as the key inhibitor to cloud adoption
Essentially, an organisation’s cloud security strategy should not be fundamentally different than that of their physical infrastructure. An effective security management policy requires a holistic approach and by following best practice guidelines, businesses can distil their own cloud security concerns and make sure their chosen cloud provider has the right approach to data protection. This will enable organisations to enjoy the savings and flexibility offered by the cloud without compromising their own security requirements.
BEST PRACTICE TO CLOUD SECURITY
Any company planning to migrate to the cloud should ask some searching questions beforehand to make sure their provider offers watertight security as part of their cloud service. However the first question should be whether the cloud is even right for them. Businesses should thoroughly assess their needs and current IT situation before outsourcing to the cloud, as not all apps and data are ready to be moved to the cloud and may actually increase costs rather than reduce them.
It should be noted that the cloud – like any other computing platforms is dependent on people, processes, technology and location. Conducting a thorough assessment of these key areas can give organisations a level of confidence that can help them overcome the fears associated with migrating to the cloud.
The greatest threat to any organisation is users with privileged access doing something they shouldn’t, whether it is accidental or done with malicious intent. However, the risks can be lessened if the service provider vets employees using simple background checking processes and ensures they have the relevant level of competency to do their job.
Data security is not just about implementing the latest firewall, robust threat management systems or having the most secure site. The effective management and administration of a data centre is just as vital. Additionally most outages are not caused maliciously, but are due to mismanagement of the systems. A simple misconfiguration during an upgrade can cause the entire system to shut down. The continuity of business-critical information must therefore be effectively managed. Any analysis of a potential vendor requires full understanding of its internal processes and procedures and how change is handled.
Organisations need to adopt an Information Security Management System (ISMS) such as IS27001 and a set of robust change management processes such as those laid out by ITIL.
One advantage of the cloud is that is can be accessed from anywhere at any time. Yet this constant availability also means that it will always be subject to attack. If a data centre is (or appears to be) inadequately protected, the infrastructure held there will be vulnerable to hackers.
Single tier firewall solutions will not deter hackers targeting confidential information - a multi-tiered defence in depth approach will offer much greater protection. Does the service provider offer leading edge technology to deter attacks? Does it offer basic perimeter firewalls or advanced application host-based anomaly detection? Public-facing companies that often attract the highest number of attacks should consider whether a provider’s security coverage includes real-time threat monitoring, log management and importantly, denial of service (DDoS) attack mitigation to protect their customer data.
Many firms do not know where their provider’s data centres are located but this should in fact be one of the most important questions in the selection process - their facilities will house an organisation’s private data and mission critical systems.
With varying degrees of data protection legislation around the world, businesses should also consider the implications of placing their operations in a location where laws are not as stringent as their domestic market. Larger organisations are increasingly concerned with where their data is being held, not only because of data protection issues but also because of privacy laws such as the Patriot Act, which allows the US Government access to data held on US soil.
Additionally it is not just the location of your compute estate - you need to consider where the administrative staff are based and ask if information is leaking outside the geographic jurisdiction of your choice.
Finally it is also important to assess whether the site is in a secure location or if it is susceptible to adverse environmental conditions that may cause outages. If an outage does occur, are there resilient failure capabilities to ensure seamless continuity of service?
Organisations place a significant level of trust in their chosen cloud provider which makes recommendation one of the most powerful tools in deciding whether to adopt cloud services and from whom.
While a provider may tick all the right boxes, there is still a level of risk when it comes to migrating to the cloud. These potential risks need to be weighed up against the flexibility the cloud provides. Businesses that regularly work with highly sensitive data in industries such as the public sector, healthcare and finance may want to opt for their own private cloud environment. However, this approach limits an organisation’s flexibility to expand beyond its constrained hardware investment. When it reaches capacity, it has to quickly invest in additional hardware in order to support increased demand. With public cloud services, businesses can order more utility instantly, scaling up or down as required.
Ultimately, businesses need to assess their own needs carefully and be mindful of the risks. Utilising cloud services can provide significant, well-documented and measurable benefits - however there is no silver bullet to reduce the risks. Working collaboratively with chosen cloud providers and ensuring the necessary processes are in place can give organisations the level of confidence that overcomes fears associated with the cloud.