I receive a lot of questions debating whether Cloud (Public or Private – Offsite) actually improves security for most organizations. The answer for most companies is emphatically yes, with a caveat. When IT governs the cloud access, security is dramatically increased. Here’s the rationale for hypothetical company SQUIB, a US based manufacturing company with offices throughout the US and operating a centralized data center.
File Sync and Share: SQUIB’s employees are using FileBox (hypothetical file share site) to store and share information (view Forester article here) due to IT email limits on file size. This brings up a whole host of security questions. What’s your companies SLA with FileBox? What is FileBox’s responsibility to the data? During a company audit, is this data included? Are there customer records included in the data? What would the compliance department think? If the answer is “I’m not sure”, then you know the answer. You are at risk. Clearly, your organization needs a solution. It’s imperative that IT step up as the advocate of the solution. Whether it’s providing a similar enterprise class solution or working directly with cloud storage providers to architect the right solution for your organization.
Infrastructure Security: SQUIB’s never experienced a major security breach therefore they have become complacent in their security model. Sound familiar? Most companies have varying levels of security to protect their infrastructure from both intrusion detection and environment monitoring for uncharacteristic behavior. Keeping both OS and security patches up to date is a priority, but typically not a top priority. For cloud providers, this is their top priority. Their business model depends on maintaining the highest levels of security.
Platform as a Service: SQUIB’s IT department is constantly being asked to stand up a compute environment for application developers. Sometimes it’s for an application development tool they are accustomed to, oftentimes one for which they have limited knowledge. Utilizing PaaS providers (Windows Azure, Oracle, AWS Beanstalk, etc.) ensures that you develop under a standard software application framework. In a typical IaaS environment, developers are free to install development software of their choosing (some of which are not well equipped for a cloud environment). With PaaS, both the infrastructure and development tools are designed and tested for a cloud-based environment.
Business Continuity / Disaster Recovery: SQUIB maintains a DR site with an independent company based on the other side of town. All of their data is replicated to the DR site on a regular basis and they test on a semi-annual basis. This is pretty typical for the industry. In this instance, security is very high however for most; Business Continuity suffers in both RPO and RTO as compared to BC/DR in a cloud environment. In a cloud based BC/DR plan, SQUIB would replicate all data to the private offsite cloud while maintaining a limited number of Virtual Machines in the cloud environment and replicate all data constantly to the cloud. In the event of a disaster, SQUIB would only need to spin up additional VM’s to handle the increased load dramatically reducing their RPO and RTO times.
Infrastructure and applications will never be 100% secure. However due diligence and a comprehensive cloud strategy that integrates your data center into a cloud based offering is critical to the future security of your organization. The next step is up to you.