October 29, 2010 Leave a comment
This series reviews 4 ‘things’ you should take seriously when considering cloud solutions. Part 1 looked briefly at Application Integration – critical if your cloud solution needs to form part of an integrated IT strategy.
Now, we look at security.
Even though we have written about and discussed security a number of times it is still of extreme relevance and importance in the move to a cloud based service.
Most security consultants have had to deal with a huge shift in focus regarding security, but the basic security fundamentals for users of cloud services still apply. As a first step, assessing the risk in security and compliance is imperative. Core security topics such as control and manageability, tracking records of actions, trust and incident management, liability and support, misuse and data leakage, these are all more critical than ever.
According to Nico Popp, VP of product development at Verisign “This requires layers of security, including multifactor authentication, identity brokers, access management and, in some cases, an external service provider who can provide that high a level of administrative control”
“Security and cloud hosting are two separate things, but the cost of entry is so low, and often so simple, that customers may not do as much due diligence as they should to find out who’s responsible for security,” says Ezra Gottheil an analyst who covers server issues for Technology Business Research.
Too many times companies assume that their cloud provider is taking care of security – leaving themselves vulnerable to attack, and all too often, ignorant of the fact.
Customers must demand transparency, avoid vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, risk-control processes and technical mechanisms and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.
Here are seven of the specific security issues Gartner says customers should raise with vendors before selecting a cloud vendor.
1. Privileged user access
Get as much information as you can about the people who manage your data. Ask providers to supply information on the hiring and oversight of privileged administrators, and the controls over their access.
2. Regulatory compliance
Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who refuse to undergo this type of scrutiny must only be used for the most trivial functions.
3. Data location
Ask providers where your data will be stored, and if this data centre has sufficient security measures in place to obey local privacy requirements on behalf of their customers.
4. Data segregation
The cloud provider should provide evidence that encryption schemes were designed and tested by experienced specialists to ensure data integrity.
Even if you don’t know where your data is, a cloud provider should tell you what will happen to your data and service in case of a disaster.
6. Investigative support.
The vendor needs to assure you that they can investigating inappropriate activity and must show that they have already successfully supported such activities.
7. Long-term viability
Ideally, your cloud computing provider will never go broke or get acquired and swallowed up by a larger company. But you must be sure your data will remain available even after such an event.
Remember we need to qualify the vendors we want to do business with, that is why Marutech and Cornastone have invested a considerable amount of time to cut through all the hype and get to the point. To ensure that our customers know full well that the solutions in our stable really do meet the above requirements.
In the next article we look at storage, which continues to be one of the weak points of many a provider.