Security In The Cloud
IT security is always about trust. We trust, often implicitly, that the technology we purchase and install on our own networks will protect us from security threats. While few people know more than the basics about the workings of different security technologies, such as firewalls and anti-virus software, it’s not difficult to select a reputable security provider on the basis of some simple research. It’s no different when choosing a “cloud computing” provider that can guarantee the highest levels of security across its network.
Cloud computing is where services such as data storage and software applications are hosted remotely and delivered to users over the Internet. The benefits of cloud computing are increasingly being recognised by small and medium-sized businesses, not least of which is the economies of scale that enable cloud providers to invest in the most sophisticated security technology on the market. Because this technology covers their whole network, it brings enterprise-grade security within the ambit of small- and medium-sized companies.
There is, however, still some scepticism – healthy, though largely unwarranted – about how secure computing in the cloud can be. Many organizations are uncomfortable with the idea of storing their data and applications on systems they do not control. This wariness isn’t helped by a lack of a universally-agreed set of best practice standards for secure cloud computing, which makes it difficult for business owners to know what to demand from their cloud providers, and thus to carry out the necessary due diligence that such a critical business decision demands.
The good news is that by asking the right questions and following a simple checklist when choosing cloud-based services, business owners can ensure that they select a provider who can guarantee the highest possible levels of security, and begin to reap the benefits of computing in the cloud.
Choosing an expert provider
Security isn’t just about viruses and protecting your sensitive data from hackers – it’s also ensuring that you always have access to business-critical information. By placing data “in the cloud”, organisations are entrusting third parties with the very lifeblood of their business, so it pays to do some research when selecting a cloud provider.
First of all, find out about the provider and the people behind it. What is the company’s background, and do they have a proven pedigree in cloud computing and security? Any company with a data centre can set themselves up as a cloud provider, so it’s common sense to look at their track record in the industry and their understanding of cloud computing security issues.
Cloud Backup
Many businesses are wary of entrusting their data to a third party, and rightly so. Without its data, no organisation can survive. That’s why all businesses, big and small, need a business continuity plan in place to protect against unscheduled downtime. But it’s usually only the largest companies that have a dedicated IT department with the resources to offer real protection for all critical systems and data.
Cloud computing can bring this enterprise-level backup protection to smaller businesses. Firms should choose a cloud provider that can provide them with a business continuity plan based around real-time backup, where information is protected with continuous journaling and any-point-in-time recovery. This protects data between regularly scheduled backups, minimising data loss and keeping a business going during planned or unplanned outages.
Backing up data in the cloud enables smaller organisations to make use of world class data centres, ideally deploying virtualisation technology to make data storage efficient and cheap. But that still means that critical business data is only stored off-site – and that’s something guaranteed to bring sleepless nights to business owners. What happens when you’re unable to access your data?
Backup Begins At Home
Investing in a redundant Internet connection is essential for any business that chooses cloud computing, enabling businesses to switch if their broadband fails. But that only covers the connection between the business premises and the remote servers. No data centre is immune from occasional downtime, no matter how reputable and experienced the provider. That’s why businesses must ensure that they make regular backups of their critical data. While scheduled backups won’t enable businesses to restore systems to the moment they went down, it still gives them the added security of knowing that they hold their data onsite, as well as in the cloud.
Technology & Infrastructure
Central to the cloud computing model is the idea that data is accessed remotely. This brings its own security challenges, which providers must meet while ensuring that they don’t neglect the more traditional elements of data centre security.
When choosing a cloud service it’s best practice to conduct a thorough audit of the supplier. Although there is a paucity of industry-standard best practice, there are still auditing standards to which cloud providers should adhere, for example the auditing standards ISO27001 and SAS70. These both provide the foundations for third-party audit, and principles for governing information security and network systems.
An audit should include all the usual checks that they make when making a decision on data centres, such as ensuring that the provider has invested in top-of-the-range physical and network security systems; first class, high availability infrastructure; and redundant components throughout the network. But when businesses are relying on a cloud infrastructure for their critical data and applications, this audit needs to go beyond the nuts and bolts of the data centre and looks at areas such as network configuration and security policies.
Multi-Site Failover
Businesses should choose a cloud provider that splits its server and storage infrastructure across multiple data centres in different locations. All these sites should be configured to fail over to each other seamlessly so in the event of a catastrophic failure, for example a local power cut, businesses won’t lose access to key processes or data. As part of the security audit, firms should check to see what systems are in place to bring complex systems back online as quickly as possible and in a co-ordinated fashion.
The transfer of large amounts of information over computer networks is inherent in the cloud model, and businesses must ensure that their provider moves data between geographic sites in the most secure manner. Cloud providers should use the most sophisticated encryption technology to guarantee the integrity of data sent between locations.
Data Location
One thing that businesses often neglect to ask from their cloud providers – and that can have a colossal impact on an organisation’s security in the cloud – is the actual location of the servers on which their data is held.
All data centres have to comply with all local, national or regional laws, but data security standards vary wildly between different jurisdictions. For example, European Union member states generally demand very strict privacy protection, whereas the same data hosted in the USA can be accessed under the almost-limitless powers of the Patriot Act. Everyone has a right to know where their data is stored, and how this affects the security of their sensitive, business-critical information.
Security Policies
The most sophisticated intrusion detection system and industry-leading firewalls aren’t going to protect your critical business information if your cloud provider routinely allows other companies to view this data. The spread of virtualisation means that different companies no longer just share the same server cabinet – two rival firms could potentially host their sensitive data on the same physical server. Businesses need to ask searching questions about how their prospective cloud providers will prevent their data from being exposed.
Critically, cloud providers usually work with a number of third parties such as providers of security software and component suppliers, so businesses need to ask about privileged user access – exactly who will have access to their data.
But selecting a cloud provider with first class security policies isn't going to protect you from threats within your own organisation. Good security starts from within an organisation, and the nature of cloud computing – where data and applications are held offsite, rather than on an individual’s hard drive – means that special security measures must be taken to ensure that certain application data can only be accessed by those with legitimate authority. Any company that places its application data in the cloud must ensure that they include rigorous application security policies, including user authorisation and authentication; encryption; and configuration management, to prevent unauthorized access to administration interfaces. Firms should also invest in security testing tools, which automatically check for potential vulnerabilities within applications.
Many businesses such as those working in the financial services industry, have their own set of security policies to abide by – for example, those mandated under the Sarbanes-Oxley or Payment Card Industry Data Security Standard (PCI DSS) regulations. These companies need to ensure that their cloud provider is compliant with the strictures of the relevant regulations.
Ease of Migration
Cloud providers are not immune from the vicissitudes of the global economy, and they can fail just like any other company, so businesses must ensure that it’s quick and easy to migrate data to another provider. Companies may also want to change provider for a range of different reasons: because they want to pay less, get better service level agreements or because they’ve discovered a particular security failing with their current provider.
That’s why businesses should choose a provider that won’t lock them into their platforms, or hold their data hostage to prevent them migrating to another supplier. Sadly, examples of such unscrupulous behaviour are fairly commonplace, but the good news is that businesses can easily protect themselves by asking providers about their migration policy before any relationship is formalised. Any reputable cloud provider will make it as easy as possible to migrate. Businesses should look for a provider that supports the Open Virtualisation Format (OVF) standard, which makes it simple, fast and secure to migrate data between service providers.
By asking the right questions, doing some basic research into their pedigree in security and the cloud, and by choosing a provider that’s open, honest and transparent, businesses can ensure that they are as secure, or more so, than if they hosted their information themselves – while reaping the benefits of lower cost, greater efficiency and enterprise-grade infrastructure.
– ends –
Notes to editors:
Journalists are invited to quote and use information from the backgrounder below but please ensure all comment is attributed to John Dudmesh, Cloud Data’s Technical Director.
For further editorial information or to arrange an interview please contact the Cloud Data press office: clouddata [at] pwkpr [dot] com or telephone 020 7609 1900.
About John Dudmesh:
John is a qualified VMware Certified Professional (VCP) with more than three decades of experience in the IT industry.
Prior to becoming one of the founding directors of Cloud Data, John was Systems Development Manager for Mistral Internet Group Ltd with overall responsibility for managing, maintaining and developing the entire internal hardware and software platform.
At Mistral, John was responsible for delivering customer-facing projects including on-demand VMware virtual server provisioning, large scale DSL circuit management and interactive telephony services.
John has a long track record of delivering complex software and hardware systems in the UK and Europe to a number of high profile clients including PepsiCo, Telewest, FedEx, Compaq, Enron and BT.
About Cloud Data:
Cloud Data combine unrivalled technical expertise with an investment in industry-leading infrastructure to deliver hosting, business continuity and backup services through cloud computing specifically for small and medium-sized enterprises. We ensure the availability of our clients’ business-critical IT systems and data, no matter what disaster may hit their IT infrastructure. Above all, we’re committed to providing the most personalised, professional standards of support for our customers.
