A clearer view of cloud computing security now that the haze is gone
- 24 July, 2012 18:30
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.
The cloud is here to stay because most organizations are looking to the cloud for "extension" -- the capability to take their business in new directions faster, rather than simply as a method of cost management. And now that the hype haze has disappeared, we have a much clearer picture of how to get the best from the cloud.
This is a crucial time for IT managers. The cloud computing and consumerization (BYOD) technology waves are changing the distribution of IT control: Users are taking more control of the devices they use; business managers are taking more control of the budgets; and service suppliers are taking more control of the data they handle. CIOs and IT managers who want to contribute to their organization's acceleration in 2012 need to be able to coordinate these different elements in a much wider scope than ever before to retain control. It's time to adapt or be swept aside.
While traditional information and communications technology approaches focus on owning and controlling resources, assets and contracts, a practical and balanced benefit-risk cloud assessment involves new ways of thinking and a shift of focus on accessing evolving services.
Part of the pragmatic trade-off is identifying and tackling the biggest security concerns associated with the cloud: corporate data confidentiality, privacy, compliance, and the integrity of services and/or data. Some enterprises try to protect everything against every imaginable threat; others spread whatever they can afford evenly, hoping this will keep attackers at bay.
Instead, finding the right trade-off for your organization involves determining your organization's appetite for risk -- i.e., the amount of risk you're prepared to take in each area of your operations. Then you can start to think about not just the defenses you need to put in place but the processes you need to enforce your security policies. And then you can initiate the cultural move from a zero-risk/zero-breach mentality to a predict-and-prevent/risk-resilient mentality.
Here are eight essentials to keep your data secure in the cloud:
1. Plan and research. Understand exactly what you want to achieve and what type of data you want to move to the cloud. Research the market and the different services, service level agreements and security features available. Investigate hosting and find out the regulatory implications of data being stored in different countries.
2. Look for a supplier you can trust. You need a relationship grounded in a shared understanding of accountabilities and expectations.
3. Outsource responsibility responsibly. Use the tools that are there to protect your organization against risks -- contracts, governance frameworks, due diligence procedures, and insurance policies.
4. Put your prospective supplier under the microscope. Find out who within the supplier organization will have access to your data; ask for audit logs, details of compliance certification, or info about a recent audit that they can share.
5. Prepare for cloud culture. The automated interface of many cloud services can feel alien to IT departments used to dealing with people within supplier organizations. Procurement, legal or commercial teams can also find the pay-as-you-go contracting model of cloud services demanding. Work to help these teams understand the value of the cloud, or they may become strategic barriers.
6. Protect your data. Use strong authentication. Encrypt your data when stored and transmitted and keep access to your encryption keys within your organization. Make sure data no longer needed is permanently erased from computer memory and storage.
7. Prepare to prevent DDoS attacks. Attack via denial of access to legitimate users is relatively common. However, with the right planning, cloud systems are highly resilient against simple flood attacks and excel at ramping up more bandwidth and resources in the face of gigabytes of malicious traffic.
8. Review regularly. Seek independent audits of suppliers' offerings to ensure they are still the best-in-class and best fit for your needs. Test your systems and procedures, and remember to review the human elements, too.
Ultimately, the benefits of moving to cloud architecture are widely accepted and potentially huge: increased agility due to rapid provisioning and de-provisioning of resources, significantly reduced capital expenditure and fixed costs, easy availability of services to a mobile workforce, less time spent managing technology and software and more time spent managing information and data to drive business innovations. But the key, of course, is to strategically and effectively manage the inherent security challenges.
BT is one of the world's leading providers of communications services and solutions, serving customers in more than 170 countries. Its principal activities include the provision of networked IT services globally; local, national and international telecommunications services to its customers for use at home, at work and on the move; broadband and Internet products and services and converged fixed/mobile products and services.