There are many factors that contribute to securing a cloud environment, and many potential liabilities that could derail a cloud planning process. To help establish and maintain a safe cloud environment,this e-guide to advise how to best manage risks and understand the concept of “acceptable” levels of risks, for example network interception.
CLOUD DATA SECURITY OUTSIDE THE VACUUM: FIND ‘ACCEPTABLE’ LEVELS OF RISK
Even a suggestion of security problems is enough to scuttle a cloud project and discredit the whole cloud planning process — and the planners. To avoid this, enterprises must start with a relativistic view of security, focus on managing new risks and understand the notion of “acceptable” levels of risk.
Most problems arise when enterprises assess cloud security in a vacuum. Few businesses look to run a completely new application in the cloud; they are expecting to migrate a current application. That means that they shouldn’t be looking at the security of the application overall, but rather at the security of the cloud relative to their current data center hosting.
Looking at cloud data security through this lens means determining acceptable risk. Security management, like all forms of risk management, is a tradeoff of risk versus cost. It’s important to gauge the risks associated with your current applications running in the current data center and worry about cloud risks that are greater than those you’re already accepting. That will ensure that cloud security costs don’t destroy the business case for cloud — something that can happen all too easily.
Application access. Access security in the cloud is often a major concern but often not an incremental risk at all. If the Internet is used to access your applications today, there’s no incremental risk to accessing the same applications in the cloud via the Internet — presuming you can manage SSL and encryption keys correctly, as noted above. The challenge would come if you intended to substitute Internet access for virtual private network access, and, in particular, create an Internet VPN.
Internet VPNs normally use the IPsec encryption system, which differs from SSL security in that it creates a community of users whose traffic is encrypted/decrypted by software or hardware between them and the network. When companies use IPsec on their own internal VPNs, no additional security risks exist for the cloud; however, cloud providers typically won’t support adding security appliances to their cloud data center, so a software appliance may be needed to support the IPsec VPN connection to each cloud application. Typically, this would be part of the machine image for each application, a kind of middleware. Check with your current IPsec provider to ensure that you have a cloud-compatible IPsec agent available.
Physical data security. Physical security of data assets is the biggest concern to most users and the most difficult one to address as a planner. If confidential information is stored in the cloud, it’s critical to validate the security certifications of your cloud provider. There are a number of cloud security compliance frameworks, notably the Cloud Security Alliance (CSA) Open Certification Framework (OCF); however, they’re not all fully developed.
If you plan to store confidential information in the cloud, confirm what framework(s) your cloud provider offers and how well it fits your needs. The biggest issue for most planners is determining if the cloud provider’s framework supports your compliance guidelines and government regulations — and this review should be completed by your internal audit or compliance office, in cooperation with government regulators where needed.
It’s possible to reduce the issues of physical security in cloud projects by eliminating storage of confidential data. If applications use structured data access (DBMS/RDBMS query processing) rather than block-level I/O, it’s possible to migrate applications to the cloud while retaining data storage in house.
Independent audits are another consideration for cloud planners researching cloud data security options. Companies subject to stringent compliance requirements may need to have a cloud strategy certified by an independent source.
If you have a compliance audit firm in place for internal IT, that company is likely the best source of cloud compliance and security auditing. If you don’t, make up a matrix of cloud providers and the security compliance auditing firms they recommend. Pick the top three names based on representation and then contact each firm for a bid.