Finding Safety in the Cloud: a Q&A with Margaret Dawson
Posted by Integration Man on June 9, 2011
Cloud security will always be a hot topic – as it should be – because overall security (not just cloud security alone) remains a top priority for every IT department. To address the cloud specifically, there’s a plethora of information available for people to consume, but little guidance on what companies really need to focus to ensure their cloud deployments are safe. And what does “safe” really mean after all? Is securing the cloud any different from securing the rest of your IT infrastructure?
To help shed some light on this topic, we interviewed our own Margaret Dawson, vice president of marketing and product management, to answer your burning questions about cloud security.
Hubspan: How do organizations migrate safely to public and private clouds without reinventing a bunch of new wheels security-wise?
Dawson: I think there is a fallacy that security needs to change when migrating to the cloud. Behind every cloud is a network and data center that needs to operate within the same security principles and mandates that your network does for on-premise consumption. If you are building a private cloud environment then your IT policies should remain completely consistent with what you have today, across all areas of security, from data protection to access control rules to Web security to virus protection, etc.
If you are going to leverage a public cloud or hybrid environment then your evaluation criteria of that cloud and vendor is critical. The cloud platform and infrastructure behind it should employ industry best practices for security and compliance. In fact, if you choose the right vendor, you should be leveraging a level of security and data protection that few companies can afford to implement and maintain on their own. This is one of the benefits of using cloud solutions – there is a highest common denominator factor when it comes to security, as well as scalability and performance.
If your organization does not have clear security policies today, then this is your first step to ensure migrating to the cloud maintains those mandates. You should not be re-inventing any security wheels but rather leveraging your current security practices or the best-practices of a cloud vendor.
Hubspan: How can security processes, such as access controls, assessment, security management, and data protection be simplified and managed more easily in the hybrid cloud environment most organizations use today?
Dawson: The easiest way to ensure consistent security policies and processes is to have all cloud-based systems adhering to the same compliance mandate. If you are a PCI DSS shop required to have standard documentation and support services for payment card data security, then only work with clouds that are PCI compliant, for example. Also, look for best practices you can apply to your organization from vendor agnostic sources, such as the Cloud Security Alliance. Security is an ongoing process and takes work whether on-premise or in the cloud, so moving infrastructure, applications or processes to the cloud does not take away the importance or work involved with security. However, if you have clear processes and policies in place, then the work needed is around applying that to new solutions or including them in your contract and SLAs with the cloud vendor.
One key gotcha to watch out for is layers of infrastructure behind a cloud platform or solution. For example, there are applications built on a platform-as-a-service (PaaS) that may leverage an outsourced infrastructure-as-a-service (IaaS). The more layers, the more challenging it is for you to control and have visibility into the overall security and access controls in place. Always ask what cloud infrastructure or platform is being used for any solution and make sure you can have documented evidence of the security and compliance in place for those platforms.
Hubspan: What really are the cost savings of moving to the cloud given the security and regulatory ramifications?
Dawson: If done right, there are not only cost savings in leveraging a cloud solution but great benefit in both operational efficiency and security. In fact, most companies can actually achieve a better state of security by moving to a proven, cloud platform. A cloud vendor is focused on that infrastructure and environment for hundreds or thousands of companies.
That’s not to say that all clouds are created equal, because they are not, but it is absolutely possible to gain the economic benefits of the cloud, such as pay-for-what-you-consume pricing, no on-premise hardware or software, etc., while still achieving security best practices. Ideally, if the cloud vendor is compliant with key mandates, such as PCI DSS or SAS 70, then your costs go down, because you do not have to invest in the process yourself. The cloud vendor can spread this investment across multiple customers, passing on the savings to you.
Tags: Cloud Computing, Cloud Integration Platform, Cloud Security, Cloud-Based Platform
No Comments »
No comments yet.