22
Cloud Security Tom Salkield
COMBAT ING CLOUD SE C URI T Y
Tom Salkield explains how to protect your data while capitalising on the cloud’s advantages
While cloud computing has been discussed ad nauseum for years, and adoption rates are rising, security concerns continue to challenge the uptake in cloud services as organisations deliberate over outsourcing their data. Cloud computing enables companies to provide flex- ibility, increase efficiency, and cut operational and infrastruc- tural costs, while simultaneously growing their businesses. We mustn’t forget, however, that cloud is a virtualisation of resources, and where there are benefits, there are risks. So how can companies make their corporate data safe, when processing it outside the organisation? Below are a pick of the critical and effective practices for securing your assets, while taking advantage of the cloud.
ASSESS THE RISK
Organisations considering cloud-based services must understand the associated risks. Some internal corporate processes will be more sensitive than others, and compa- nies must evaluate and define which data they would be comfortable moving to a third-party cloud service provider. This risk management process is about assessing which of the business processes are critical, and calculating the risk against the proposed cost reduction by defining the data sensitivity and the benefit of processing it externally.
CREATE A BACKUP PLAN
Continuity of operations and data security is a given, but even cloud-based service can fail. Ensuring you have a backup plan to recover will protect against any unpredict- ability. It is possible to backup cloud-based data locally, depending on what model you’re using.
IaaS provides virtualised machines in the cloud, giving companies maximum flexibility for backups. PaaS provides software frameworks and software libraries on which ap- plications can be deployed, and many of these offer backup options. Even some SaaS offerings, which provide canned, hosted applications and data with little customisation, can be configured for local backups.
IDENTITY MANAGEMENT IN THE CLOUD Identity management is broadly defined as a set of poli-
CCI Magazine January 2013
cies and tools that identify individuals within a system or network. Implementing a roles-based management system that assigns roles to employees, and binds system privileges and data access to those roles, will prevent users from unauthorised access to internal resources and processes. With cloud providers you can find yourself with multiple access permissions across a variety of applica- tions. By utilising a federated identity system, an organisa- tion can extend identity management to the cloud, pro- tecting cloud-based applications and data using internally developed authentication policies and access privileges.
USE SERVICE LEVEL AGREEMENTS Like any service, you need a guarantee. You must be
prepared to expect the unexpected and know that you can overcome any challenges you might face. Businesses using cloud infrastructures must ascertain some ground rules and be certain that their data will be both protected and avail- able at all times. They must consider the service levels that a provider is offering. Some providers will now offer a set level of uptime for their SaaS infrastructures, for example, along with a payment guarantee if they don’t perform. With a service level agreement you can set expectations and maintain a desired service level from the off.
VET CLOUD SERVICE PROVIDERS Selecting a good cloud provider should involve research-
ing and due diligence in comparing the security measures and controls that each provider uses to keep its custom- ers’ data safe. Crucially, it is important to use a benchmark to evaluate the provider’s security posture. Sadly, security standards designed to focus explicitly on the cloud are still relatively immature. However, if a cloud provider is certified using broad industry standards, such as ISO 270001 and the emerging Cloud Security Alliance, it can provide some reas- surance about the security of its information management. Data protection is imperative and, ultimately, the re- sponsibility is with businesses to ensure they understand and take responsibility as custodians of their data, and their customers’. Businesses should assess their policies and procedures irrespective of the third party providers that they use to avoid the repercussions should a breach occur in the future.
ABOUT THE AUTHOR Tom Salkield
Over the last 15 years Tom Salkield has built up experience both in IT security technology and business management. Prior to taking up the position of Director of Professional Services (UK) with Integralis he was a Director at Capgemini, where he held senior leadership roles driving business transformation for clients facing security challenges. Previously, he established and built up the highly successful security practice at NetStore.
www.cloudcomputingintelligence.com
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64 |
Page 65 |
Page 66 |
Page 67 |
Page 68