Regardless of all its hype, security in cloud computing is not a revolution; rather it’s an evolution of the age-old business model of outsourcing. The concept of cloud computing has evolved from the concepts of grid, utility, and SaaS (Software as a Service), and these models evolved from the application service provider in the mid-early ’90s. The emerging model of cloud computing allows people to tap into a vast network of computers scattered around the world using any type of connected device to analyze an abundance of information on demand. The information resides in massively scalable data centers, provided by an outsourcer, which are enabled by the maturity and progression of virtualization technology.
With any outsourcing model, business owners, not service providers, are ultimately responsible for maintaining the confidentiality, integrity and availability of their data. Before embracing any type of outsourcing model, be it cloud or traditional, businesses must exercise best practices to ensure they are working with a trusted service provider who will be gaining access to and helping protect sensitive company data. It is also important to note that cloud computing is fundamentally an extension of an organization’s environment, and similar vigilance needs to be in place as it relates to periodic assessments of what information is deemed “safe for the cloud.”
Security and Communication
This new era of computing is as much about the need for security as it is about the need for communication. Businesses must not only trust their service provider, but also, during the information-gathering process, enable open communication to ensure proper oversight and control of the information being accessed. A security risk assessment always should be conducted by checking the provider’s credentials, from where the service is operated, and to which external assessments the supplier adheres. Moreover, service providers should provide informational assets and mechanisms that allow for real-time understanding of the security posture. In addition to a security risk assessment, proper security measures must be in place at the customer’s premise to ensure secure transactions with the cloud. This is accomplished through implementation of traditional in-depth defense practices such as network and endpoint protection technologies, coupled with managed security services for real-time monitoring and response.
While the majority of businesses remain completely unaware of everyday in-house security controls and protections, the act of extending their business out to the cloud amplifies the need to increase understanding of current security models. A cloud model implementation must offer adequate or better security and management than what currently is in place. By focusing full attention on the data involved, there are several questions businesses can ask themselves to help understand the outsourcing process. Questions such as “Is this data mission critical?” and “Does this data represent private customer information?” enable businesses to determine the level of security they need and if the data is appropriate for the cloud.
What Is Cloud-Safe Data?
Not all business data is appropriate for the cloud model — as would be the case for any outsourcing. When considering data security, information that has external facing attributes and is not considered mission critical should be considered safe for the cloud. Also, internal-only data that is non-mission critical is also considered safe. Regardless, the appropriate levels of security should always be applied to each classification of information while minimizing the likelihood of creating security or business exposures. Keep in mind though that if the data is competitive and mission-critical, it might be most secure behind a company’s own firewall. More importantly, for data that is both competitive and mission-critical, companies can best control risk by looking to manage it themselves.
While security risks may always be a concern in the information technology industry, businesses that embrace new technologies while maintaining strategic focus on core IT and business initiatives will be successful in the emerging technology landscape and will have the tools to better leverage existing resource investments. In order to satisfy today’s challenges in the explosion of data, the need for businesses to move to the next generation of computing, cloud computing, is imminent.
Harold Moss is a security architect for IBM Software Group.