Cloud Security Takes Center Stage

Now that enterprise cloud services have taken center stage, everyone is talking about cloud security.  Along with cost, cloud security is top of mind for most organizations considering a hosted cloud solution.   The high profile security breaches over the past few years might explain why CEOs and CIOs are paying such close attention to security.

Cloud Security is Top of Mind

According to the Boston Globe newspaper, a data breach in 2007 cost TJX Companies $256 million. It also compromised 45 million customer credit and debit card numbers.   Things have not improved much in the years following this high profile incident.  During 2012, almost every industry sustained hacking attacks and a vast amount of data was stolen.  eHarmony acknowledged that about 1.5 million user passwords were compromised last year.  Networking giant, Linkedin, was stripped of 6.5 million hashed passwords in July of 2012.   Zappos, the online shoe retailer, was tapped for the personal information on about 24 million customers.   Even presidential candidate, Mitt Romney, had his email account hacked into by someone who got his email address in the Wall Street Journal.

Despite significant savings in infrastructure costs and improved operational flexibility, security is the single biggest barrier for companies wanting to implement a cloud-based solution.   However, security methods are improving and the confidence in cloud providers to protect their customers’ data is rising.

Before we tackle the question – what is cloud security, let’s discuss what cloud security is not.

What Cloud Security Is Not

First, cloud security is not a one-size-fits-all program or procedure that protects every asset running in a cloud.  Second, cloud security is not protecting a single point of attack with a firewall. Computing systems have expanded to incorporate the entire perimeter of a computing landscape; it is critical that all endpoints accessing the cloud as well as edge computing systems are secure.  Lastly, cloud security is not a universal and structured service provided by all companies offering cloud solutions.  Because cloud computing typically involves third party hosting providers, it would be a mistake to think that all third party providers have the right security processes and procedures to protect your corporate data and systems.

While there are many things cloud security is not, the main point is that protecting your computing assets in a cloud environment, with so many access points, is far more complex than it was just a few years ago.  Less than 5 years ago a solid datacenter, a good firewall and trusted employees were considered sufficient tools to protect most computing assets.   This is not the case anymore.

What Cloud Security Is

While everyone has a different approach to defining cloud security, for our purposes, we’re going to discuss this topic from the standpoint of a third party provider hosting enterprise systems such as SAP ECC or Oracle’s eBusiness Suite in a private cloud. Perhaps the best place to start is by stating that cloud security is a coordinated set of policies, technologies, and other controls designed to protect the data, infrastructure, and applications from a breach.  It is also a system that enables and supports regulatory compliance.   This same definition would have applied 5 years ago, but what separates our computing systems today from 5 years ago is that now the policies must be different, the technology is different and the controls are different.  Attackers are fully aware of these differences, and security systems must constantly evolve as technology advances.

Security starts with protecting the physical environment.  That being said, authorized people inside the physical environment (e.g. technicians, engineers, programmers, administrators, etc.) tasked with the responsibility of maintaining the environment must be competent as well as trustworthy.  A breach can happen due to an internal attack, or it can happen as a result of an honest mistake.  Either way, security can be breached and the system compromised from within a secure physical building.

The focus of this post is more on the technical aspects of protecting an organization’s sensitive data and systems, and what third party hosting providers must do to guarantee a secure environment.

Today, the most advanced datacenters hosting private clouds rely on layered technologies to create a durable and flexible net or grid.  This layering of security components and software allows components or pieces of software to be inserted at each level of the technology stack, creating multiple points of protection or barriers. The barriers increase the chances that a hacker will be deterred or possibly identified before they get to the data.  It also protects the good guys (the system administrators), because even if they make a mistake or overlook something that leaves one layer unprotected, there are still other layers that remain armed and secure.

In a private cloud, the security concerns of multiple clients sharing services and even equipment (called a multi-tenant environment) is typically minimized.  Private clouds usually handle the entire computing environment of any single company as a single closed system, including the network, edge computing, and mobile access points.  This security could go so far as housing the servers and racks in a separate and secure building.  However, a private cloud can still be exceptionally private and secure even if it is housed in a multitenant system…if it is physically impossible for any part of the private cloud to touch or integrate with any parts of the other clouds being hosted in the same datacenter.   The main point is that any organization looking at potential hosting services to manage their private cloud should examine how the private cloud is kept private.

In some cases, there is debate as to whether a hosting environment can be considered a private cloud. When evaluating vendors for private cloud computing, it’s important to ask if more than one company’s data is running on the same server.

Traditionally, application components and services that are consolidated onto a single server platform should all be from the same company to maintain the integrity of a private cloud.   However, recently there are companies who have created virtualized environments running on a single box that are reported to be as secure as the stand alone physical server.  Intel is one of the companies leading the way in the endeavor.   Regardless, if you are considering a hosted private cloud, it is recommended that you find out how the virtualized environments are maintained by any providers under consideration.

If you are looking for a third party private hosting provider with a strong security posture, one of the main capabilities you will find is their ability to provide data sovereignty.  This means you will have complete control (sovereignty) over your data, almost as if the information was hosted in a data center within the physical boundaries of your organization.

You will also have complete functional control of your systems; although you may utilize the technical expertise of your hosting provider to support the daily ‘care and feeding’ of your landscape.
In addition to data sovereignty, there are some other security-related questions you should ask your prospective vendors:

  1. Does the vendor have any suggestions about how best to utilize your existing technology investments?
  2. Can the vendor help with architectural design issues as well as system deployment guidance and other best practices for your cloud?
  3. Is the vendor’s infrastructure scalable and flexible enough to accommodate your needs now and in the future?  What happens if you need to ramp up or down?
  4. Does the provider have 24/7/365 technical support?
  5. How does the vendor handle disaster recovery planning?

If you are interested in reading more about public and private clouds, download our whitepaper:  Cloud Computing: a deeper look into the technology, design and opportunities.