Most of the times, when you mention the term cloud, people think of it in terms of the “public cloud”. And their interaction is from a consumer perspective. Whether we’re talking about iCloud, Amazon cloud, or even backing up your computer to something like Symantec’s cloud. As a consumer, we just assume that the cloud is secure.
As enterprises, we have a different security standard that we have to consider as compared to the consumer grade cloud. We need to look at security from three standpoints:
- One, security of data in flight.
- Second, security that is provided by the cloud provider.
- Third, security of your data in the cloud.
Looking at the movement of data between private and public clouds, you have to consider the security risk of data in flight. In this scenario, you’re thinking of WAN Network security. Typically, customers connect via IPsec, SSL and MPLS connections to provide industry-standard link encryption and message authentication to help ensure that data cannot be modified during transmission. In this, all access to servers is strictly monitored. Now, to add an even greater level of security, data can be encrypted before transmission so that any breach “in flight” would still maintain the security of the data.
Looking at the security of the cloud provider, you should be concerned with three points: Physical Controls, Technical Controls, and Administrative Controls.
- Physical Controls: Cloud data centers are designed to support and protect mission-critical operations with robust SLA to provide for trust between the customer and the provider. In as such, there are SAS-70 and SSAE 16 standards and ISO/IEC 27001 certifications that help provide a level of physical security that is auditable.
- Technical Controls: Multiple levels of disparate defences need to be used to protect customer information and strictly control network access to the datacentre.
- Administrative Controls: Who has physical access to the data center and who can make changes to the infrastructure are all a part of technical controls.
Your cloud provider’s approach to the security of our Cloud should be 4 fold:
(1) Embed: The ability to EMBED security into devices and platforms with integrated security
(2) Protect: The ability to PROTECT your data from device to cloud
(3) Detect: The ability to proactively DETECT and stop risks before they impact your environment
(4) Respond: The ability to RESPOND immediately to an information breach when every second counts
From the standpoint of your data in the cloud, you should already have a high comfort level of the security from your cloud provider. The old adage of “trust but verify” comes into play. And in this case, encryption ensures that although you trust, you reserve the right to ensure that even if something where to happen, you can pass the security audits necessary to ensure that the data will not be compromised. Security however can also be looked at from the perspective that your data is snapshotted and backed up helping ensure that your RPO and RTO objectives are met.