building Security Into the CloudBy Samuel Greengard | Posted 2012-12-14 Email Print
Cloud computing is moving into the mainstream and forcing organizations to build security into systems and solutions.
PwC's Loveland says that clouds are just another tool or avenue of IT that must be addressed. "Organizations must dive in with their eyes wide open, take a proactive approach, and understand where data is stored, how it's stored and how it all relates to security and privacy issues," he advises. "It's about knowing what protections the cloud provider offers and what you need to do internally, and then building an infrastructure that minimizes risks."
A basic but often overlooked reality is that all data is not created or valued equally. Consequently, as organizations migrate to the cloud, they must address data classification issues.
According to Accenture, it's crucial to invest time and effort classifying data up front and distinguishing between security and data privacy. Only then can a business fully understand the value of data and how to handle each class. For example, non-regulated and low-sensitivity data can be safely stored in a public cloud without modification, while highly sensitive data may be better stored in private clouds or may require much tighter controls.
A Mix of Public and Private Clouds
Sorting through the dizzying array of issues related to cloud computing is something that Avatar New York has placed on a front burner. The marketing and e-business provider -- which claims clients such as Bergdorf Goodman, Sapporo and Yamaha -- has moved into a mix of public and private clouds to manage complex client projects.
Avatar uses Rackspace to ramp up the number of servers and computing resources as needed and relies on Puppet Labs to handle IT administration in the cloud. "Since we are managing valuable customer information, we have rigorous security requirements," explains Patrick Tully, chief technology officer.
The company also turned to CloudPassage and its Halo cloud protection software to secure its public cloud servers.
"Public clouds are extremely dynamic in nature, with IP addresses and other configuration settings subject to change if the server instance is rebooted," Tully says. "This causes all sorts of problems relating to host-security controls that rely on a static environment to operate."
To be sure, the software makes it easier to add servers and computing bandwidth within minutes, while also ensuring that all are airtight and adhere to compliance requirements before they are exposed to the Internet. The entire process is automated using Puppet scripts. Altogether, Avatar now operates more than 50 servers in the cloud.
Accenture's Sepple says that a cloud environment can actually be safer than servers residing in an enterprise data center. In the end, it's largely about taking a step back and examining best practices involving the cloud.
Once an organization understands its privacy and security risks, classifies data and establishes clearly defined roles surrounding security, other pieces fall into place. At that point, it's essential to find a cloud provider that offers a high level of transparency—including who it might subcontract with and what chain of controls exist—and then put the proper identify and access management pieces in place.
PwC's Loveland says that it's vital to determine the optimal mix of public, private and hybrid clouds, and examine how all types of technology (including mobile technology and social media) affect the cloud,. Mobile device management solutions and other technology management tools become more important in this new order of technology. It's also crucial to educate and train employees.
"Cloud computing is rapidly moving into the mainstream of the enterprise, Loveland points out, "so building the right protections is critical."