Cloud security: Try these techniques now
From divvying up responsibility to using third-party tools, here's how some companies are approaching the problem.
For Logiq³ Inc., the decision to go with a cloud-based provider of IT infrastructure as a service (IaaS) was a matter of cost and flexibility.
A start-up that began operations in 2006, the Toronto-based life reinsurance management firm could not afford to build and staff a data center from scratch, according to David Westgate, Logiq³'s vice president of technology. So Logiq³ instead chose cloud computing and managed IT services provider BlueLock LLC to handle its data needs in the cloud.
BlueLock's virtualized environment allowed data and volumes to move between systems in a dynamic, low-cost way that would be impossible with a traditional, hosted environment, Westgate says.
There were, however, security concerns to be addressed before Logiq³ would entrust its critical systems to BlueLock's cloud. The life reinsurance company handles death records, which include personal information like social security numbers, as well as financial data and information about major assets that its large financial customers have on their books. Although Logiq³ isn't regulated by the U.S. government's Sarbanes-Oxley Act, its customers in the financial sector are, "so they'll be auditing us," says Westgate. As a result, Logiq³ needed potential cloud vendors to demonstrate that they were in compliance with applicable regulations and could provide high levels of security.
Logiq³ is far from alone. While security and compliance issues crop up in any Web-based outsourcing arrangement, businesses are justifiably concerned about putting everything in a virtualized cloud. It's a comparatively new service area where risks are unknown -- "which in itself is a risk," says Jay Heiser, an analyst at Gartner Inc. "If I can't figure out how risky something is, I have to assume it isn't secure."
The extent to which hackers can take advantage of unique cloud vulnerabilities is being hotly debated at Web sites like Linkedin.com's Cloud Computing Alliance. So far, there have been few instances of a successful, large-scale data breach on a public cloud. Just recently, however, someone managed to set up the Zeus password-stealing botnet inside Amazon.com Inc.'s EC2 cloud computing infrastructure by first hacking into a Web site that was hosted on Amazon servers.
It is, in other words, early days yet in the cloud computing industry. Cloud vendors are, in some instances, playing catch-up on the security front, and IT managers are trying to figure out just exactly what the risks are and how to counter them.
Divvy up responsibility
A crucial first step is for cloud-based service providers and their potential clients to sit down and determine who has responsibility for securing and protecting what components of the IT infrastructure, which often spans both companies' systems. Sometimes, particularly with an IaaS provider, the division of labor is negotiable. For example, at Logiq³, Westgate decided to let BlueLock handle patching and configuration management because he was familiar with the software BlueLock was using, a tool from Shavlik Technologies LLC.
- Enterprises increasingly look to the private cloud
- Without the cloud, Microsoft may lose grasp on the enterprise
- How the cloud can make IT shops more innovative
- Business users bypass IT and go rogue to the cloud
- HP looks to ease enterprise IT cloud fears
- Afraid of the cloud? How to handle your fears
- 5 reasons why Google can catch Amazon in the cloud
- Public cloud market ready for 'hypergrowth' period
- Cloud security concerns are overblown, experts say
- Cloud computing 2014: Moving to a zero-trust security model
- SANS: Next-Generation Datacenters = Next-Generation Security This whitepaper takes a look at some new technology that may allow security teams to implement more flexible and capable protection models in...
- SANS: Protecting Virtual Endpoints with McAfee Server Security Suite Essentials SANS review of McAfees Server Security Suite Essentials that address some of the emerging challenges of securing virtual platforms and cloud environments.
- Safeguarding the Next-Generation Data Center Use of virtual and cloud servers has exploded. Unfortunately, security often lags behind. McAfee recommends looking at innovative solutions in order to erect...
- Aberdeen: Securing the Evolving Datacenter This report highlights ways security technologies and services are evolving to provide the visibility and control needed to deploy workloads flexibly in the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- Is SQL Server AlwaysOn really as powerful? Tips and Tricks from the field With the introduction of AlwaysOn, Windows Clustering Services is now more critical than ever.
- What Does it Take to Deliver a Superior Customer Experience? The Two Top-Rated Online Retailers, B&H Photo and Crutchfield Electronics, Share Their Secrets Discuss practical CX tools and service methods such as contact center agents and the use of realtime speech analytics to help contact center... All Topic Center White Papers | Webcasts