Cloudy with a chance of thunder
Security is a permissible concern in a cloud environment since sensitive customer and enterprise data is frequently shared, stored and accessed through the cloud. It is the foremost consideration in a government cloud, where mission critical defence and intelligence data is exchanged. And it’s true that there are some cloud security challenges. So why should you worry about these challenges?
Let’s first remember that cloud computing, by definition, means that you are sharing a computing resource with other users. We should also remember that most conventional business applications contain sensitive data, such as customer, patient, employee, financial, or other proprietary information that must be guarded and protected.
Unlike conventional computing, where we can control the entire infrastructure within our own firewalls, and where we can lock down data in controlled means, a shared cloud resource must also be secured to be able to meet most security compliance requirements.
Small business has led the way in adopting the cloud-based approach for the delivery of IT infrastructure, applications and services. However, while many enterprises are interested, data security concerns hold them back from handing over responsibility for their data and networks to a third party.
In a recent poll conducted by Unisys, more than half (51%) of respondents identified security and data privacy concerns as the major barriers to the adoption of cloud computing services.
This is a reasonable and valid reaction. Enterprises want to be reassured that their data will be secured from other enterprises that are also using the public cloud, or sharing facilities in multi-tenant environments, as well as protecting data from being hacked while it transits the internet.
Organisations keep highly sensitive customer data and business rules in enterprise resource planning (ERP) systems and other key applications. They have spent years building walls to protect this vital information, so it’s understandable if they don’t yet trust the internet as a delivery mechanism under a cloud model.
The safehaven of the corporate firewall
While they are starting to move non-critical applications with in-built security, such as email, to the cloud, they baulk at the opportunity to unleash applications from behind their corporate firewall onto the web. That’s why an enterprise that is looking to reap the cost saving and flexibility benefits of the cloud delivery model must seek a service provider that takes security as seriously as they do. An SMB solution won’t meet the grade. A cloud solution for the enterprise must be designed for the enterprise user, in order to protect and support mission critical applications.
The qualities to look for in a cloud solution designed for the needs of the enterprise are:
- Security and isolation of information within the boundaries of the third-party’s data centre;
- Transformation services that can handle dramatic changes in workloads;
- Proven and verifiable processes and procedures;
- Disaster recovery plans and procedures;
- Global reach for service and support as well as local compliance.
There have been high profile breaches which have fuelled fears about cloud security. In 2009, users of Google Docs saw their documents exposed to unauthorised users. In the same year, Salesforce.com suffered a major outage that rendered thousands of its users around the world helpless, while their critical business applications remained inaccessible for the better part of an hour.
Although these security concerns are well-founded, cloud services can be secure if the right technologies and processes are in place. If they’re not, businesses are at risk.
Data-in-motion / data-at-rest
Perhaps the weakest link in the cloud computing chain is the level of security when data is transmitted across the internet from the service provider to the customer – this is called data-in-motion. Organisations that are contemplating moving back office applications to the cloud should consider new encryption technologies to secure data during data transmission.
Unisys Stealth takes encryption of data-in-motion to the next level because it not only provides a higher level of encryption than the standard approach; it also breaks the information apart into multiple streams (bit-splitting) where data packets are split into multiple units as they are transported through the network, essentially cloaked during transmission, before being reassembled and delivered to end users.
A similar approach can be applied to data-at-rest, such as data stored on a disk, where data is split into bits and each bit is encrypted. Unisys Stealth was initially designed for the US government and it is currently being trialled by the US Joint Forces Command (JFCOM) to enable the country’s Department of Defence networks operating at different security levels to use a single network, while ensuring data can only be accessed by authorised groups.
Seek certified data centre partners
The other area of security is not software, but a repeatable set of proven processes which minimises the risk of human error. Look for cloud data centres that have attained ISO 27001 and ISO 20000 certification for best practice in Information Security Management, SAS 70 – type II certification for information processing and ITIL v3 certification for service management.
A service provider should allow its clients to conduct regular audits of its data centres to ensure their data is protected, private and compliant with various rules around data sovereignty. In New Zealand, for instance, the Reserve Bank’s Outsourcing Policy stipulates that "any outsourcing arrangements for bank functions must not create risk to the bank’s ability to continue to provide and circulate liquidity in the economy, under normal business conditions or circumstances of stress or of failure of the bank or of a service provider to the bank”.
No halting cloud adoption
Clouds are here to stay, no matter what the voices of dissent may say. Given the changing economic environment and the ongoing emphasis on cost savings, cloud adoption is the way of the future.
As enterprises rethink their cost models and look for ways to access data anytime and anywhere, the one decisive factor that can make or break the cloud is the security and privacy it offers.
If the right security policies are not in place, organisations are at risk of their data being exposed and open to attack. If they are, cloud infrastructure can be just as secure as systems kept behind the corporate firewall.