Fear of cloud security risks has been around for as long as cloud computing technology itself. While high-profile cloud outages and data theft further make IT professionals sceptical, securing the cloud need not be taxing. Here’s a clue: Make data the centre of your attention, not the technology.
Moving IT to the cloud brings advantages such as flexibility and scalability, but its
Cloud also enables more effective working across groups such as direct employees, contractors, consultants and domain experts can be brought in on an ad hoc basis to add their skills to any project under consideration.
Implementing a cloud infrastructure, however, tends to send security professionals into shivers of fear because of cloud’s security risks.
Security is perceived to be bad enough even when the information is within the direct control of the organisation. But as soon as data is put into an environment where a lesser degree (or no degree at all) of control is in place, the perception of security risks reaches a whole new level, becoming the biggest issue for IT pros.
Now, however, such a “server hugger” mentality is changing. Savvy IT pros understand that their own levels of information security are not always as strong as they could be. Furthermore, the benefits of cloud-based services have convinced them to tackle security risks of the cloud.
Beating cloud security risks
Overcoming the lack of security in cloud computing requires concerted efforts from service providers, industry bodies and cloud adopters.
External providers -- ranging from colocation data centre facilities to hosting companies providing IaaS, PaaS or SaaS (Infrastructure, Platform or Software as a Service) -- can implement more consistent physical and technical security to ensure that their environments meet security levels such as the industry standards of ISO17799 or ISO27001.
This still leaves the problem of the information moving along the value chains. The security fear at this stage is that information could be intercepted and the intellectual property within it used to the detriment of the organisation.
Let’s look at this in greater detail. An average-sized organisation may not have a fully coherent information security policy in place. It may have a perception of security, where technology has been put in place to meet specific needs, such as firewalls, using encryption for data at rest and using virtualisation to centralise information within a specific data centre.
What happens, though, when the wider aspects have been overlooked? For instance, when an employee leaves an organisation, can the organisation guarantee that all copies of data that the person has on their multiple devices (PCs, laptops, smartphones, tablets, etc.) have all been deleted? What happens when it comes to a disgruntled employee who hasn’t handed in his resignation letter yet? Is his information usage being tracked and audited? For example, does the organisation know what is being sent from its own environment to others via email, and what actions are being carried out on specific information assets, such as database access or email printing or forwarding?
How about the risk of device loss or theft? With the storage capabilities of smart devices increasing rapidly, the information held on them can be financially crippling for an organisation if intellectual property is held on the device or even if it is just personally identifiable information, such as a corporate database of external contacts.
When taking cloud to its logical “hybrid cloud” conclusion -- a mix of private and public clouds serving the complete value chain -- then overcoming cloud security risks can appear to be such a massive project that it is easier to just concentrate on what can be controlled, i.e., the private cloud. Using relatively simple approaches can result in a compliance-oriented architecture which leads to an inherently secure system that provides support for physical, virtual and cloud platforms. At the same time, it promises the capability to embrace any new platforms that may come along.
Manage data, not technology, to beat cloud security risks
The key is to focus on the information itself, not the technology. Applying security policies to an item of information makes it secure no matter where it is. For example, if an item of information is encrypted on the move and at rest, then only those with the capability to decrypt the information have access to it.
The decryption keys may be held on external devices or on employees’ own devices through embracing a bring your own device -- BYOD -- strategy. You can secure these keys through the use of biometric access to devices, and the lifetime of the keys can be managed through digital rights management (DRM) software. Anyone with access to the information can be immediately cut off from access should they leave, be terminated or otherwise cease to be part of the required team working with the information.
IT pros can use data leak prevention systems to ensure that certain information stays within a constrained environment -- for example, information on mergers and acquisitions accessible only amongst a well-defined group of senior executives and legal personnel. Information on a patent application, for instance, can be stopped from passing from the private cloud to any external environment based on key phrases and intelligent heuristics that can summarise and match content against base information security rules.
Benefits of a compliance-oriented architecture
IT pros can use desktop virtualisation to ensure that core information is stored within a defined environment, and they must prevent storing any information on a client device where necessary. The key is to make sure that all information is being stored centrally.
In addition, they can use client virtualisation in such a way that information cannot be cut, copied and pasted between corporate and personal environments. They can put logging and event-auditing systems in place so that printing, forwarding and other activities carried out against information assets are monitored and, when necessary, halted or raised as exceptions to an employee’s line manager or to the corporate security team.
Such an approach means that the cloud is just another platform for secure information transport and dissemination. Should the information be intercepted, it will be just a set of ones and zeroes -- of minimal use to the interceptor. For individuals who meet the organisation’s security policies, the information will be available in a secure manner no matter where they are.
A compliance-oriented architecture puts security where it should be, as an enabler to the business, not as a constraint. With a suitable approach driven from the private cloud or private data centre, IT can overcome cloud security risks across the complete value chain, making companies far more competitive and responsive in their sectors.
Clive Longbottom is a service director at UK analyst Quocirca Ltd. and a contributor to SearchVirtualDataCentre.co.uk.
This was first published in August 2012