you're reading...
Cloud Blogs

Is there a hard and fast set of best practices for maintaining security standards once you migrate to the cloud?

Most of the times, when you mention the term cloud, people think of it in terms of the “public cloud”.  And their interaction is from a consumer perspective.  Whether we’re talking about iCloud, Amazon cloud, or even backing up your computer to something like Symantec’s cloud.  As a consumer, we just assume that the cloud is secure.


As enterprises, we have a different security standard that we have to consider as compared to the consumer grade cloud.  We need to look at security from three standpoints:

  • One, security of data in flight. 
  • Second, security that is provided by the cloud provider. 
  • Third, security of your data in the cloud. 



Looking at the movement of data between private and public clouds, you have to consider the security risk of data in flight.  In this scenario, you’re thinking of WAN Network security.  Typically, customers connect via IPsec, SSL and MPLS connections to provide industry-standard link encryption and message authentication to help ensure that data cannot be modified during transmission.  In this, all access to servers is strictly monitored.  Now, to add an even greater level of security, data can be encrypted before transmission so that any breach “in flight” would still maintain the security of the data.



Looking at the security of the cloud provider, you should be concerned with three points: Physical Controls, Technical Controls, and Administrative Controls. 

  • Physical Controls:   Cloud data centers are designed to support and protect mission-critical operations with robust SLA to provide for trust between the customer and the provider.  In as such, there are SAS-70 and SSAE 16 standards and ISO/IEC 27001 certifications that help provide a level of physical security that is auditable. 
  • Technical Controls:  Multiple levels of disparate defences need to be used to protect customer information and strictly control network access to the datacentre. 
  • Administrative Controls:  Who has physical access to the data center and who can make changes to the infrastructure are all a part of technical controls. 


Your cloud provider’s approach to the security of our Cloud should be 4 fold:

(1)    Embed:  The ability to EMBED security into devices and platforms with integrated security

(2)    Protect:  The ability to PROTECT your data from device to cloud

(3)    Detect:  The ability to proactively DETECT and stop risks before they impact your environment

(4)    Respond:  The ability to RESPOND immediately to an information breach when every second counts



From the standpoint of your data in the cloud, you should already have a high comfort level of the security from your cloud provider.  The old adage of “trust but verify” comes into play.  And in this case, encryption ensures that although you trust, you reserve the right to ensure that even if something where to happen, you can pass the security audits necessary to ensure that the data will not be compromised.  Security however can also be looked at from the perspective that your data is snapshotted and backed up helping ensure that your RPO and RTO objectives are met.


About Michael Elliott

Michael Elliott is a thought leader, cloud strategist and enterprise data center evangelist focusing on data center evolution with particular emphasis on private and hybrid clouds. Michael previously worked as Dell’s Cloud Evangelist representing Dell’s cloud portfolio and vision at customer meetings, media briefings, and industry conferences. Prior to that, Michael held marketing and consulting roles in the storage and telecom industry. Michael currently works for NetApp as their cloud strategist and evangelist. Michael started his career as a mainframe programmer for General Electric and held the role of adjunct professor of marketing at the University of Akron. Michael has a mathematics degree from the University of Cincinnati and an MBA from Pennsylvania State University. Michael’s recent work includes: • Participation in cloud industry panels and private equity discussions relating to the vision of cloud. • Business development activities with a focus on the enterprise data center. • Sales enablement and training on cloud positioning and how cloud impacts hardware and software sales. • Industry conference presentations including the Consumer Electronics Show, Cloud Computing East, Educause, and the Cloud Computing Association. • Presentation at the International Forum on Innovation and Emerging Industries Development in Shanghai, China


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: