Security has been a key issue in the area of technology, and even more so when newer technologies are being introduced. Fear of the unknown is a human condition we have to recognize and live with. Hence, with the advent of the Cloud – together with mobility, big data and analytics – issues related to security seem to hinder the progress of technology adoption. These issues, however, can be addressed effectively. This article will look at how an organization can plan to build a secure cloud-based solution on the fly.
Trust and accountability
A common belief is that cloud benefits come with security risks. In a managed cloud infrastructure, we outsource the management of IT resources to someone else. We worry about accountability, and we question whether we could trust the cloud provider.
But most cloud computing companies are well reputed, known for protecting trust and for the investments they put into their security infrastructure. These include multiple levels of security they have built-in, multi-layer security architecture their clients can further superimpose on top of them, and the security measures that meet many of the standards set by governments and the industry, such as the US Department of Defense (DoD) 5220.22-m standards, the NIST 800-53 framework, not to mention complying with HIPAA, FISMA, and SOC 2 Type II standards.
These alone are more than the best protection that any one individual organization could implement on its own.
Nevertheless, when it comes to securing critical information, accountability is everything. There are many cloud providers to choose from, and businesses are encouraged to do their due diligence before signing up with anyone. There is no ‘one-size-fits-all’ approach.
Businesses should also be ready, and be assured of having the option, to ‘jump ship’ to another provider should they feel dissatisfied with their current provider.
Data privacy and protection
There are also questions of how to ensure data privacy and security when the cloud service provider has access to the data that is now physically residing at their premises and ostensibly under their control. How could the customer maintain the integrity of certain classes of information – such as personal, medical or financial records – to meet regulatory and legal requirements? What if the provider is able to see, or perhaps even use or share, the data?
Although the questions are legitimate, the fear may be a little exaggerated. Cloud service providers are well aware of data privacy and sovereignty issues, and it is their business to protect customers’ data against hackers and malicious attacks, as well as meet compliance requirements.
At the bare minimum, this would mean implementing intrusion protection systems, firewalls and SSL certificates, among others.
Cloud service providers are here for the long haul, and it is in their interests to respect and honor their customers’ data privacy boundaries. Although cloud infrastructure platforms are shared, they are not pooled together to allow universal access to all of the provider’s customers who share that platform. Even if it is a public cloud that is multi-tenanted with multiple virtual servers, every virtual server is effectively siloed from the virtual servers of every other client in the data center.
As such, data is accessible by the customer only, and not by any of the other tenants, or even the provider’s employees.
Securely leveraging the cloud
Having dispelled some of the fears about cloud security, let’s take a look at how an organization can plan to build a secure cloud-based solution on the fly. All that is needed are the proper tools, including a set of security products and services to help build, deploy and manage the cloud solution.
But proper planning is everything. The following serves as a checklist of what organizations can do:
1. Provide secure connectivity, authentication, access control, and audit capabilities for IT administrators and users
Include VPNs, multifactor authentication, audit control logs, API keys, and other fine-grained access control. This allows staff to securely access work data and connect to the application via HTTPS, using the wide range of SSL certificates available in the market.
2. Ensure that stringent data security measures are enforced
Data cannot be shifted across borders, and data-at-rest and data-in-transit must be encrypted. The cloud provider must leave data where customers place it, and must never transfer customers’ data. Use encryption solutions to ensure sensitive data-at-rest is not stored in clear text, and that the customer maintains complete control of the encryption keys.
3. Ensure multi-layered security for network zone segmentation
Users and administrators need confidence that their network is securely partitioned. SoftLayer native and vendor solutions such as SoftLayer VLANs, Vyatta Gateway, Fortigate firewall, and Citrix Netscaler allow administrators to securely partition a network, creating segmentation according to organizational needs, and providing the routing and filtering needed to isolate users, workloads, and domains.
4. Enforce host security using anti-virus software, host intrusion prevention systems, and other solutions
The IT team can apply best-of-breed third-party solutions, such as Nessus Vulnerability Scanner, McAfee Antivirus, and McAfee Host Intrusion Protection. These capabilities give administrators the means to ensure that infrastructure is protected from malware and other host attacks, enhancing both system availability and performance.
5. Define and enforce security policies for the hybrid cloud environment, and audit any policy changes
Administrators can manage overall policies for the combined public-private environment using IBM solutions like QRadar, Hosted Security Event and Log Management Service, and xForce Threat Analysis Service. Admins can use solutions from vendors like CloudPassage, Sumo Logic, and ObserveIT to automatically define policies around firewall rules, file integrity, security configuration, and access control, and to audit adherence to such policies.
It is clear that cloud security is not an oxymoron. In fact, cloud-based solutions are not just more flexible, scalable and dynamic to provide both short-term and long-term IT resources, but are also inherently more secure – and make more practical and economic sense overall.