Building a Secure Future in the Cloud
Published 01/27/2011
By Mark Bregman
Executive Vice President and Chief Technology Officer, Symantec
Cloud computing offers clear and powerful benefits to IT organizations of all sizes, but the path to cloud computing – please excuse the pun – is often cloudy.
With cloud computing, IT resources can scale almost immediately in response to business needs and can be delivered under a predictable (and budget friendly) pay-as-you-go model. An InformationWeek survey[1] in June 2010 found 58 percent of companies have either already moved to a private cloud, or plan to soon. Many others, meanwhile, are considering whether to shift some or all of their IT infrastructure to public clouds.
One of the biggest challenges in moving to a public cloud is security – organizations must be confident their data is protected, whether at rest or in motion. This is new territory for our industry. We don’t yet have a standard method or a broadly accepted blueprint for IT leaders to follow. In my role as CTO of Symantec, I have invested a lot of time examining this challenge, both through internal research and in numerous discussions with our customers around the world. And while we are not yet at the point of writing the book on this subject, I can tell you that there are a number of common themes that arise in nearly every conversation I have on this subject. From this information, I’ve developed a checklist of five critical business considerations that decision makers should examine as they think about moving their infrastrucutre – and their data – to the cloud.
1. Cost-benefit analysis. The business case for cloud computing requires a clear understanding of costs as compared to an organization’s in-house solution. The key measure is that cloud must reduce capital and operational expenses without sacrificing user functionality, such as availability. The best delivery model for cloud functionality is a hardware-agnostic approach that embraces the commodity architectures in use by the world’s leading Internet and SaaS providers. This can be achieved through low-cost commodity servers and disks coupled with intelligent management software, providing true cloud-based economies of scale and efficiency.
2. Robust security. When you move to the cloud, you’re entrusting the organization’s intellectual property to a third party. Do their security standards meet the needs of your business? Even the smallest entry point can create an opening for unauthorized access and theft. Authentication and access controls are even more critical in a public cloud where cluster attacks aimed at a hypervisor can compromise multiple customers. Ideally, the cloud provider should offer a broad set of security solutions enabling an information-centric approach to securing critical interfaces – between services and end users, private and public services, as well as virtual and physical cloud infrastructures.
3. Data availability. As cloud places new demands on storage infrastructure, data availability, integrity, and confidentiality must be guaranteed. Often, these provisions come with vendors who offer massive scalability and elasticity in their clouds. To make this approach manageable for customers, cloud vendors must offer tools that provide visibility and control across heterogeneous storage platforms. The final test for cloud storage is interoperability with virtual infrastructures. This allows service providers to standardize on a single approach to data protection, de-duplication, assured availability, and disaster recovery across physical and virtual cloud server environments, including VMWare, MS Hyper-V and a variety of UNIX virtualization platforms.
4. Regulatory compliance. Cloud computing brings a host of new governance considerations. Organizations must evaluate the ability of the cloud provider to address the company’s own regulations, national and worldwide rules for conducting business in different regions, and customer needs. For example, many healthcare customers will require SOX and HIPAA compliance while financial customers must comply with Gramm-Leahy-Biley and Red Flags.
5. Check the fine print. Don’t forget to thoroughly evaluate your organization’s SLA requirements and ensure the cloud provider can and is legally responsible to deliver on these provisions. The most common SLAs relate to disaster recovery services. Make sure a contingency plan is in place to cover against outages. In the event of a disaster, is the facility hosting your data able to quickly offload into another data center? On a related note, an SLA best practice is to perform data classification for everything – including customer data – being considered for cloud migration. Know where your vendor’s cloud assets are physically located, because customer SLAs – such as with federal agencies – may require highly confidential data to stay on-shore. Non-sensitive information can reside in offshore facilities.
These five critical business considerations serve as a checklist for building trust into the cloud. This trust is crucial as the consumerization of IT continues to redefine the goals and requirements of IT organizations. Consider that, by the end of 2011, one billion smartphones will connect to the Internet as compared to 1.3 billion PCs.[2] The acceptance of mobile devices into the enterprise environment creates more demand for SaaS and remote access. As result, businesses large and small will increasingly turn to cloud to keep pace with demand.
# # #
[1] InformationWeek, “These Private Cloud Stats Surprised Me”: http://www.informationweek.com/blog/main/archives/2010/06/these_private_c.html
[1] Mocana Study: “2010 Mobile & Smart Device Security Survey”