Safety in the Cloud - Best Practices for Private and Public Models | 2011-08-08

With market analysis firm International Data Corporation (IDC) predicting $72.9 billion in cloud-related revenues by 2015, the cloud as the preferred storage and application environment is the future. Additionally, the IDC study indicates that by 2015, spending on public cloud services will account for nearly half of the net new growth in overall IT spending. This spending includes money spent on application development and deployment, infrastructure, storage, and servers.

In the face of this predicted growth and the inevitability of widespread cloud adoption, IT managers still question the security of both private and public cloud environments. A transition to the cloud can be fraught with concern, as IT fears data breaches and outages. However, no system is foolproof, and on-premise solutions present their own problems, with the downsides of increased costs and decreased efficiencies.

As the cloud marketplace matures and adoption reaches a steady pace, providers have increasingly turned to shoring up their standards and procedures. Spending on cloud security is also increasing, with exponential gains in uptime and intrusion protection experienced annually.

With the public cloud, such as that offered by Hostway’s FlexCloud infrastructure, the solution for the end user is highly automated and scalable to fit their needs. Customers who run complex multi-connection applications can plan and test these applications in the cloud, which provides an inexpensive development environment.

Controlling Security in Public and Private Environments:

For private and public clouds, uptime and data availability remain as top priorities. Confirming internal IT staff’s ability to access and work with proprietary data is a key consideration when selecting a cloud provider. As always, the devil is in the details, and service level agreements should be carefully reviewed for availability guarantees and maintenance scheduling.

Solution providers are increasingly setting up more stringent policies regarding the actual location and movement of client data. As globalization trends continue, providers need to be aware of the various country and state-specific rules for data that contains any personally identifiable or financial information. Beyond simply running afoul of regulations and facing fines, companies are also at risk for the exposure of trade secrets or lost intellectual property, which can be severely damaging to their credibility and long-term success.

Similar to on-premise environments, cloud solutions require the first line of defense – sound password management procedures. An intruder gaining access to your public cloud data by entering “password” or “administrator” as a password is not an indictment of the security of the cloud, simply bad procedures. Sophisticated identity management tools can help staff and employees manage multiple passwords with confidence by alerting users to password repetition, prompting random password generation, and running programs to delete past employee access.

In the public environment, proximity between each individual customer’s data causes some concern about segregation policies and encryption. Solution providers should follow the latest encryption standards and also strict data removal practices when client relationships end, or data is no longer needed. Top public cloud providers will offer complete managed services, including firewall setup and other proactive steps to block intrusion efforts.

Finding the right partner among the clouds:

Fairly low barriers to entry mean that untested or unscrupulous cloud providers can currently get a decent share of business. Over time, security lapses and uptime failures will doom the fly-by-night providers who aren’t investing internally in better processes and systems.

Choosing the right provider can mean the difference between success and failure in either the private or public cloud. Start with the simpler requests. Does the provider follow password management protocols? How extensive is their employee screening process, especially for those with deep access to customer data.

It’s important to pose a list of “what ifs?” to the provider. If their main data center is destroyed, is your data also lost? If not, then what are the disaster recovery options and how quickly can they be up and running? If a breach occurs, will the provider be transparent and quickly blog or Tweet status updates?

As the complexity of your needs grows, it becomes likely the cloud provider will need to enlist some outsourced companies to manage those needs. You need to have a clear understanding of the path your data takes and which outsourcers will be given access. These companies need to be held to the same data management, transport, and security standards as the cloud provider. Does the outsourcer use outsourcers? Knowing how far the chain stretches can help you gauge the security risk.

For most companies, a move to the cloud is becoming a question of “when?” instead of “why?” Considerable savings in both staffing and hardware are establishing the cloud as the clear choice over on-premise solutions. As more companies move to the cloud, more and more investment flows into enhanced security protocols for both public and private clouds.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.