Gartner: Don't trust cloud provider to protect your corporate assets
Sensitive information that needs to be protected - customer data, mission critical applications, production-grade information - in many cases needs its own security controls to be fully protected. "As you move out to cloud-based models, there are some things you can trust your cloud provider with, but for critical business data and regulation-controlled information, very rarely is the infrastructure going to be enough," Pescatore said during a webinar sponsored by Gartner this week.
Security remains a top concern for companies looking to deploy a cloud strategy, but Pescatore says there are ways to alleviate the fears. One key, he says, is to have security provisions that are designed to specifically protect cloud applications, data or workloads. A prime example is credit card information. Payment Card Industry (PCI) certification requires that any customer credit card data that is stored electronically be encrypted. Some cloud service providers will offer encryption services within their cloud-based storage offering. But, there are a range of third-party applications that customers can buy to provide encryption services, distributed denial-of-service (DDoS) protection, and access control measures that are tailored specifically for cloud deployments. Many of these are delivered in a cloud format.
There are a variety of cloud security products on the market for numerous functions. Providers such as Zscaler, Websense or ScanSafe from Cisco are "gateway" products that sit between the user and the cloud provider to monitor what data is being put into the cloud and to make sure malicious data or applications don't penetrate into the user's system. If the cloud is being used to host a website, there are website protection services, such as Imperva, CloudFlare and even some from Akamai in this area, for example.
Overall though, Pescatore says cloud security starts at a basic level. Most enterprises begin their journey to the cloud with a private, internal cloud, and that's a good place to start with security controls, too. "Get security right in the private cloud first, then extent it into the hybrid and public," he suggested. Having processes in place to protecting virtualised environments from outside attacks is important, he says. "Get visibility into the system, the change controls and the vulnerabilities," he says. This includes securing the orchestration of the architecture and the provisioning of new accounts, domains and virtual machines.
The migration beyond a private cloud is usually then toward incorporating some public cloud services. Many times companies expand to public cloud services for non-mission critical applications though, such as test, development or bursting capacity. So, not everything may have to be secured to a maximum security level. "Protect the sensitive information and only put the less sensitive data into the cloud in the native form," he says, referring to the process of tokenisation.
Pescatore says the focus for cloud security should be on the processes of protecting the cloud. Create policies for cloud security, then make sure they are implemented throughout the cloud deployment and stick with them. The vulnerabilities are created when there are inconsistent policies or unenforced security controls, he says. "We really have not yet seen major new attacks that are trying to compromise the cloud infrastructure or the virtualisation layer," he says. "The reality today is that the easy pickings (for the hackers) are attacking the companies using the cloud services."
The good news is customers have a wide variety of options. For low-level security requirements, the cloud service provider, either on the infrastructure or software as a service side, usually each have their own security features. Amazon Web Services is FISMA compliant; FireHost, another cloud service provider, is PCI compliant. At the least, Pescatore says users should look for their providers to be ISO 27001, SOC 2 or SOC 3 certified. Beyond that, and especially for sensitive information, there are third-party security offerings for a range of uses.
CIO100 2013 Overview: Chief transformation officer
CIOs are across a raft of programmes using disruptive and traditional technology - effectively leading change throughout the organisation in a tough economy.
Fighting for privacy
An interview with Kaliya Hamlin, aka 'Identity Woman' and head of the Personal Data Ecosystem Consortium, which aims to give individuals control over their personal data and how it is used by corporations.
- New Zealand’s IT leaders announced at CIO Awards
- Amazon CTO: Stop spending money on ‘undifferentiated heavy lifting’
- CIO Agenda: Innovate and transform on the ‘third platform’
- Five ways to create a collaborative risk management program
- BlackBerry pitches to NZ businesses in bid to recapture market share
CONNECT WITH @ CIO NZ
CIO is bringing together the best of MIS NZ and CIO, the new look CIO is the only magazine that focuses on the unique management needs of senior IT professionals.
Get the latest news from CIO delivered via email.
CIO 100 REPORT
The definitive guide to New Zealand's largest and most significant ICT users.
READ NOW »