4 essential cloud security tips

But before making the leap to public cloud, consider these pieces of advice from those that have already jumped

More and more enterprise IT shops - as they get comfortable with virtualization practices in their own private clouds - are considering a jump to the public cloud. But before making that leap, consider these pieces of advice from those that have already jumped.

1. Make sure your provider has VM-specific security

"Hypervisors were never really designed to be running in a public environment," says Beth Cohen, senior cloud architect for Cloud Technology Partners, a consultancy.

That fact doesn't necessarily stop them from being secure, Cohen says. But it does require a more elastic security strategy that can deal with the issues of virtual machines (VM) moving around the underlying infrastructure, interacting with cloud applications, and supporting multiple tenants.

Customers going into the public cloud need to understand that perimeter security - while it still needs to be in place in any virtual data center environment - isn't going to help with the internal security of virtual machines, says Michael Berman, CTO of Catbird Networks, a vendor that focuses on virtual machine security.

Both Cohen and Berman have pointed potential cloud consumers to VMware's vShield, which is both a product that offers integrated security services to the underlying VMware hypervisor and a set of APIs that allow third-party security vendors to build security services on top VMware's platform.

VMware's Dean Coza, director of product management for security products, points out that a dozen security vendors announced products that tap into vShield to deliver virtual machine security products at last month's VMworld conference.

But VMware is only one of the virtualization software vendors out there and the company has said very little about how these tools will help lock down other popular VMs from Microsoft and Citrix.

Experts describe the top cloud security concern

2. Figure out a way to lockdown endpoints

Predictions for mobile device sales are staggering. Forrester says tablet sales will hit 208 million by 2014. Gartner contends that 1.1 billion smartphones will be sold in 2015. Enterprises moving to the cloud must brace themselves for many more of these consumer-type devices trying to get to corporate data and applications in the cloud.

"The BYOD [bring your own device] to work issue is huge because now you have devices you don't own trying to access your data over networks that you don't control," says Tom Clare, senior director of product marketing at Websense, a content security vendor.

Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy in western Massachusetts, says one way to help limit the number of users wanting to run personal devices on the corporate network is to set up policy roadblocks.

These include limiting what they can do on the machine while attached to the network, requiring them to pay for mobile malware protections and confiscating the device if there is a security issue.

But there are legitimate circumstances for giving upper management controlled access through the cloud. Braun's company uses products such as Kaseya's mobile device management module, which is part of the vendors overall IT System Management platform, to gain that kind of control.

Joe Coyle, CTO for Capgemini Consulting, contends that in order to effectively support mobile devices you must make sure your provider's ID management scheme jibes with your internal one.

"They are coming in from everywhere, so if you lock them into their set roles through consistent ID management, then you have a decent shot at making sure they are not getting to data they - or their machines -- don't have rights to," Coyle says.

3. Push your cloud provider to put security in your SLA

Standard cloud service provider service-level agreements (SLA) barely touch on security, so it's a buyer beware kind of situation.

"Make sure your provider is willing to move well beyond simple monitoring of your service usage," says Torsten George, vice president, worldwide marketing at Agiliance, a security vendor that offers governance, risk and compliance services.

Customers have a right to push for insight into a provider's compliance posture, its overall security posture and how it stacks up against benchmarks for best security practices.

"Absolutely push for a custom security SLA," says Jeremy Crawford, CTO of MLSListings, a Silicon Valley-based regional Multiple Listing Service (MLS) that supports over 5,000 brokerages and 18,000 subscribers. Crawford has negotiated security focused SLAs with three public cloud providers. He takes a look at the providers' standard security agreement, but only consents to about 50% of the language in most cases. He pushes for more favorable language relating to visibility into the providers' systems and sets up specific terms about shared liability should there be a breach.

"You've got to have teeth in the contract or you'll have no legs to stand on if there is a data leak," Crawford says.

4. Act quickly

Richard Rees, manager of EMC's virtual cloud consulting services, says enterprises should move quickly on an overall strategic plan for pushing their business process out to the public cloud in a controlled fashion. By doing so, you avoid rogue pockets of public cloud within the companies.

"I am always surprised by how quickly departmental pilot projects morph into business critical applications," Rees says. Due to the relatively low cost of entry into most public cloud applications, the likelihood that they are being used without IT's knowledge is pretty high.

Read more about cloud computing in Network World's Cloud Computing section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycloud computinginternet

More about CatbirdCitrix Systems Asia PacificEMC CorporationGartnerKaseyaMicrosoftTechnologyVMware AustraliaWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christine Burns

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place