Securing the Cloud

The shift from on-premise to cloud computing continues to gain pace. But with customers’ number one concern now identified as security, how can an ISV or reseller ensure its hosting partner has the right processes and technologies in place to safeguard critical customer data? How does the shift from on-premise to the cloud affect issues such as PCI DSS compliance? And should organisations begin to impose greater security controls with end customers to improve authentication procedures?

Inexorable Shift

The move away from on-premise systems to cloud computing appears inexorable, with research organisations predicting a wholesale transition to the new model over the next decade. Growing numbers of IT providers, from Independent Software Vendors (ISVs) to consultancies and pure hardware providers are looking to make the transition to cloud-based service delivery.

But while customer organisations are keen to improve operational efficiency, reduce headcount and improve the bottom line by moving from on-premise systems towards a hosted model, this is a major paradigm shift and requires careful consideration. What are the security implications of moving corporate data off site? What are the risks associated with the multi-tenanted cloud model?

A rash of cloud-security led debates is whipping up anxiety across end user organisations, apparently making security the number one consideration for every potential customer looking at cloud based solutions.

But let’s put this in to perspective: Level 3 or Level 4 data centres offer far greater levels of data security than on premise systems. At a physical level, buildings are well ventilated, fire proof and have 24x7 security staff. They are also secured with leading edge technology – from firewalls and anti-spam to anti-virus and real-time monitoring technology – that could never be justified by a single SME. And data centres will impose tight and consistent security policies; there will be no open firewalls to let senior management work remotely, for instance!

Private v Public

Of course, much of the cloud-based discussion relates to public rather than private cloud activity. The recent security breach at Google Docs obviously raised concerns about the security of corporate documents held on a public cloud.

Furthermore, organisations adopting cloud computing do not always know where data is located. It could be held in countries such as the US or China where there is uncertainty around how information is policed and the information security legislation in these countries is likely to be very different to UK legislation.

But private clouds offer organisations far more choice and control. If organisations are concerned about how the information could be accessed or misused, the best option is to partner with a hosting provider that only uses UK data centres – for both primary hosting and secondary back up sites.

While this is a straightforward evaluation, many resellers and ISVs do not have the internal security expertise required to truly evaluate a hosted provider’s security and privacy practices. At a basic level, ISO 27001 data security accreditation should be a given. But organisations also need to consider data protection, vulnerability management, physical and personnel security, availability, application security, incident response and privacy. And what is the ongoing commitment to improving security? For example, does the provider routinely employ an independent third party to undertake penetration tests?

And with threats coming from internal as well as external sources, what is a provider’s policy for ensuring data centre engineers cannot compromise systems? While most will routinely film all data centre activity, there is a growing demand for engineers to work in pairs, with joint activity sign off to further reduce the chance of internal breach.

If resellers and ISVs are not comfortable with their internal security expertise it is wise to turn to a third party, independent consultancy to evaluate the quality of any hosting provider’s security set up. This is a critical transition – and with increasing penalties for data breach, not one any organisation can afford to get wrong.