Seeing Through the Clouds: Gaining confidence when physical access to your data is removed
Blog Article Published: 03/12/2012
Cloud computing brings with it new opportunities, new frontiers, new challenges, and new chances for loss of intellectual property. From hosting simple web sites, to entire development environments, companies have been experimenting with cloud-based services for some time. Whether a company decides to put a single application or entire datacenters in the cloud, there are different risks and threats that the businesses and IT need to think about. All of these different uses, all of these different scenarios are going to require thorough planning and development in order to make sure whatever gets put in the cloud is protected. When implemented properly, companies may actually find that they have improved their overall security posture. When putting systems and information into your own datacenter, certain security measures have to be in place to ensure external threats are minimized. One of the big security measures is the datacenter itself, with a security boundary only allowing authorized personnel to have direct access to the physical systems. Within the datacenter, dedicated network connections ensure the data flows properly with little concern of unauthorized snooping. These and other physical controls go away when working in a cloud environment. Regardless of whether you choose an Infrastructure-as-a-Service (IAAS), Platform-as-a-Service (PaaS) or Software-as-a-Service (SaaS) cloud model, the physical boundary has gone from a select few authorized people to an unknown number of people who are not even part of your company. Other controls inherent to locally hosted systems include firewalls, network segmentation, physical separation of systems and data and a dizzying array of monitoring tools. When going to a cloud model, whether it’s a public or private cloud, most of these controls either go away entirely or have significant limitations to them. The controls may still be there, but may not be under your direct management. In other cases some of these controls may be removed entirely. The three tenants of security are confidentiality, integrity, and availability. When our data sits in our own datacenters we feel confident that we have a pretty good level of control over all three of those tenants. When we put our data in the cloud, we feel that we have lost control of all three. This doesn’t mean that a cloud-based solution is bad, rather it means we need to look at what it is we’re migrating to the cloud and make sure the three tenants are still covered. Simply picking up an application or an in-house service and moving it to a cloud-based solution isn’t good enough, and will most likely leave information exposed. You need to review:
- How the information is secured
- How access is authorized
- How integrity and confidentiality are controlled
- The ability to have highly redundant, geographically diverse systems help companies handle both disaster scenarios and enhance customer experience.
- The ability to quickly add more systems helps companies handle spikes in traffic.
- Speed of deployment can also help a company to keep a competitive edge.
- If implemented with the appropriate security controls in place, companies can have safe, secure systems that not only rival those they could have built within their own datacenters, but with more features and security than traditional IT deployments.