Security in the Cloud

One major concern has loomed over companies considering a transition into the cloud: security. The “S” word has affected the cloud more than other types of hosted environments, but most concerns about security are not based on reality.

Three factors about cloud security:

1.       Cloud security is almost identical to internal security, and the security tools used to protect your data in the cloud are the same ones you use each day. The only difference is that the cloud is a multi-tenant environment with multiple companies sharing the same cloud service provider.

2.       Security issues within the cloud can be address with the very same security tools you currently have in place. While security tools are important, they should not be perceived as a hindrance when making the transition into the cloud. Over time, the commodity nature of IT will require that you transition your technologies to the cloud in order to remain financially competitive. This is why it is important to start addressing security measures now in order to prepare for the future.

3.       As long as you choose a quality cloud provider, your security within the cloud will be as good—perhaps even better!—than your current security. The level of security within in the cloud is designed for the most risky client in the cloud, and thus you will receive that same security whatever your level of risk.

Internal or External IT?

Prior to asking questions about security within the cloud, you need to ask what exactly should move into the cloud in the first place, such as commodities. Back when companies first began taking advantage of IT, the initial businesses to computerize their organization’s processes had significant gains over competitors. As the IT field grew, however, the initial competitive benefits of computerization began to wane, and computerization thus became a requirement in order to simply remain relevant. As such, there is an increasing amount of IT operating as a commodity.

Cloud computing essentially allows business to offload commodity technologies and free up resources and time to concentrate on the core business. For example, a company manufacturing paper products requires a certain amount of IT to run its business and also make it competitive. The company also runs a large quantity of commodity IT; this commodity technology takes time, money, energy and people away from the company’s business of producing paper products at a price that rivals competitors. This is where cloud computing comes in.

The commodity IT analysis form helps you determine what parts of your IT can be moved externally by helping you list out all of the functions that your IT organization performs and decide if you think of this activity as a commodity, or not.

Internal IT Security

Some think that internal IT no longer helps businesses set themselves apart from other businesses. The devaluing of IT leads to many companies failing to adequately fund required budgets to operate a first-class IT infrastructure. In addition, there is an increasing number of security mandates from external and internal courses means that IT can’t always fund and operate as required.

Another problem involves specialization and its effect on business function, as businesses exist as specialized entities. When looking at funding and maintaining a non-core part of the business, IT faces a problem. For example, an automotive maker avoids starting a food production company even though it could feed its employees that way because that is not its core business. It is unlikely that the automotive manufacturer’s IT department will be as successful as its manufacturing business. On balance, a business with IT as its only product line or service should be more successful as providing IT. Thus if the automotive maker isn’t going to operate as a best-in-class IT business, why would its security be expected to be best-in-class? A company with IT as its business is the best choice for securing your data because the quality of its product and its market success depends on its security being effective.

Factors to consider when picking a cloud provider:

Cloud providers have internal and external threats that can be accepted or mitigated, like internal IT, and these challenges are all manageable:

Security assessment: Most organizations usually relax their level of security over time, and as a way to combat this, the cloud provider must perform regular security assessments. The subsequent security report must be given to each client immediately after it is performed so the client knows the current state over their security in the cloud.

Multi-tenancy: The cloud provider should design its security to ensure that it meets the needs of its higher-risk clients, and in turn all clients will reap the rewards of this.

Shared Risk: The cloud service provider will not be the cloud operator in many instances, but the cloud service provider may nonetheless be providing a value-added service in addition to another cloud provider’s service. Take a Software-as-a-Service provider, for example. The SaaS provider needs infrastructure, and it may make more sense to get that infrastructure from an Infrastructure-as-a-Service provider as opposed to building it on its own. Within this kind of multi-tier service provider, the risk of security issues are shared by each part because the risk affects all parties involved at various layers. The architecture used by the main cloud provider must be addressed and that information taken into account when assessing the client’s total risk mitigation plan.

Distributed Data Centers: Due to the fact that providers can offer an environment that is geographically distributed, a cloud computing environment should be less prone to disasters–in theory. In reality, many organizations sign up for cloud computing services that are not geographically distributed, this they should require that their provider have a working and regularly-tested disaster recovery plan (including SLAs).

Staff Security Screening: As with other types of organizations, contractors are often hired to work for cloud providers, and these contractors should be subject to a full background investigation.

Physical Security: When choosing a cloud security provider, physical external threats should be analyzed carefully. Some important questions to ask are: Do all of the cloud provider’s facilities have the same levels of security? Is your organization being offered the most secure facility with no guarantee that your data will actually reside there?

Policies: Cloud providers are not exempt from suffering from data leaks or security incidents, which is why cloud providers need to have incident response policies and procedures for each client that they feed into their overall incident response plan.

Data Leakage: One of the greatest organizational risks from a security standpoint is data leakage. As such, the cloud provider must have the ability to map its policy to the secure mandate you must comply with and talk about the issues at hand.

Coding: In-house software used by all cloud providers may contain application bugs. For this reason, each client should make sure that the cloud provider follows secure coding practices. All code should additionally be written using a standard methodology that is documented and can also be demonstrated to the customer.

In conclusion, security remains a major concern, but it is important to understand that the technology used to secure your organization within the cloud isn’t untested or new. Security questions within the cloud represent the logical progression to outsourcing of commodity services to some of the same IT providers that you have been confidently using for years already. Moving IT elements into the cloud is simply a natural progression in the overall IT evolution. Visit for more information regarding the ever-changing environment of Cloud security.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: