If you do a Google search on ‘cloud computing’ about 45.1 million results come up. There’s no doubt cloud computing is tremendously becoming one of the top buzz words in the business world. ‘Going cloud’ is a very real strategy today for IT managers to cut costs, increase flexibility, and support Green IT initiatives. Cloud computing is becoming mainstream computing. Regardless if your deployment plans fall under the different ‘type’ of clouds—public, private, or a combination— a KEY question that CIOs across industries, particularly financial services industry and telecommunication providers, asking is: “Is cloud computing secure?”
Contributed by Ivan Wen, the Country Manager of Sourcefire Malaysia.
A recent Ponemon Institute 2010 study “Flying Blind in the Cloud,” found that a mere 20% of companies involve IT security in their cloud migration process and only 30% evaluate cloud services from a security perspective before using it for the business.
Briefly, the IT security challenges to consider before moving to the cloud fall into three main categories.
- Loss of Governance. When you’re handing over the keys to your data to an external cloud vendor you need to make sure you understand the risk profile of that vendor. Try to understand the security vendor’s security infrastructure and policies, the level of security training their personnel received, their admin access / login policies to the data, and their firewall and intrusion detection and prevention systems (IDS/IPS). In addition, if your organization intends to make considerable investments in migrating its infrastructure or applications to the cloud to meet industry standards or to comply with certain governance regulatory requirements, you also need to make sure if the cloud vendor’s infrastructure is complying with the relevant regulations.
- Potential insecurity of shared infrastructure. The multitenant nature of public clouds means that you may be sharing infrastructure with a completely unknown set of other parties. Your ‘neighbors’ could be independent hackers or those employed by competitors, organized crime, or others looking to gain access to your most critical data.
The lacking of basic protections and customer data compartmentalization could possibly causing vulnerability at all levels of the cloud infrastructure stack right from hardware, hypervisor, network, operating system to storage and also application layers.
- Data Loss and Leakage. Cloud vendors may have their own protections, but history has shown that may not be enough. Examples include a hacker group that was able to obtain e-mail addresses and SIM card numbers for over 100,000 iPad users from the AT&T website, or T-Mobile Sidekick customers who temporarily lost their data due to an outage in a Microsoft data center. In both cases of cloud customers, Apple and T-Mobile, were left holding the bag because of data losses not within their own networks but those of their cloud vendors.
Regardless of these risks, the cloud is here to stay and organizations must have a security strategy in place. Below are the three steps for overcoming cloud security challenges.
- Evaluating the cloud vendors. CIOs must ensure that the vendor’s solution is transparent enough to meet the privacy requirements. Involving a third-party independent security testing vendor to provide an assessment based on the cloud provider’s infrastructure and services will bring in objectivity and expertise into the evaluation.
- Plan your migration stages to the cloud. It is likely the rationale behind that encouraging you to move to the cloud to save costs and increase agility. If you start with low risk applications, you can demonstrate the inherent risks of cloud computing while not sacrificing your critical data, reputation, and potentially incurring financial risk. In effect, this can be a ‘proof of concept’ without major consequences.
Many organizations are taking this approach. A recent study uncovered that a large majority of end users in the cloud computing industry are currently or using clouds for noncritical applications with a little under one-third using clouds for critical applications.
- Evolve your internal infrastructure into a private cloud. For cost savings and operational efficiencies, consider moving your internal infrastructure to private cloud architecture at first. Building a private cloud is similar to building a virtual network. Remember a few key principles to maintain security: visibility is crucial – make sure you see the changes in your infrastructure during the migration; security policies account for your business’ virtual network, and up to mark for the dynamic nature of virtual networks.
Despite the numerous security risks involved with cloud computing, it is critical that we take a thoughtful and proactive approach to this transition to the cloud. If you can be quick to migrate some applications to the public cloud; be smart about evaluating cloud vendors; and be proactive in building out a secure private cloud, you’ll be well on your way to going safely “to the cloud.”
