This aspect of cloud computing is simply an evolution of the security practices in traditional outsourcing.
Regardless of all its hype, security in cloud computing is not a revolution; rather it’s an evolution of the age old business model of outsourcing. The concept of cloud computing has evolved from the concepts of grid, utility, and SaaS (Software-as-a-Service), and these models have evolved from the Application Service Provider in the mid-early ’90’s.
The emerging model of cloud computing allows people to tap into a vast network of computers scattered around the world using any type of connected device to analyse an abundance of information on demand. The information resides in massively-scalable data centres, provided by an outsourcer, which are enabled by the maturity and progression of virtualisation technology.
With any outsourcing model, business owners, not service providers, are ultimately responsible for maintaining the confidentiality, integrity and availability of their data.
Before embracing any type of outsourcing model, be it cloud or traditional, businesses must exercise best practices to ensure they are working with a trusted service provider who will be gaining access to and helping protect sensitive company data. It is also important to note that cloud computing is fundamentally an extension of an organisation’s environment, and similar vigilance needs to be in place as it relates to periodic assessments of what information is deemed “safe for the cloud.”
This new era of computing is as much about the need for security as it is about the need for communication. Businesses must not only trust their service provider, but also, during the information gathering process, enable open communication to ensure proper oversight and control of the information being accessed. A security risk assessment always should be conducted by checking the provider’s credentials, from where the service is operated, and to which external assessments the supplier adheres.
Moreover, service providers should provide informational assets and mechanisms that allow for real-time understanding of the security posture. In addition to a security risk assessment, proper security measures must be in place at the customer’s premise to ensure secure transactions with the cloud. This is accomplished through implementation of traditional in-depth defense practices such as network and endpoint protection technologies, coupled with managed security services for real-time monitoring and response.
While the majority of businesses remain completely unaware of every day in-house security controls and protections, the act of extending their business out to the cloud amplifies the need to increase understanding of current security models.
A cloud model implementation must offer adequate or better security and management than what currently is in place. By focusing full attention on the data involved, there are several questions businesses can ask themselves to help understand the outsourcing process. Questions such as “Is this data mission critical?” and “Does this data represent private customer information?” enable businesses to determine the level of security they need and if the data is appropriate for the cloud.
Not all business data is appropriate for the cloud model — as would be the case for any outsourcing. When considering data security, information that has external facing attributes and is not considered mission critical should be considered safe for the cloud. Also, internally, data that is non-mission critical is also considered safe. Regardless, the appropriate levels of security should always be applied to each classification of information while minimising the likelihood of creating security or business exposures. Keep in mind though that if the data is competitive and mission-critical, it might be most secure behind a company’s own firewall.
More importantly, for data that is both competitive and mission-critical, companies can best control risk by looking to manage it themselves. So, yes, embrace cloud computing– the potential for businesses to leverage this next-generation capability is huge – but deploy with caution. Trust, but verify.