A Layered Approach
Some experts recommend a layered security model when using the cloud. "As is the case with most security controls, defense-in-depth is especially important when dealing with cloud computing," says Rik Boren, a partner at consulting firm PricewaterhouseCoopers in New York. "While there is no silver bullet that can completely secure an application hosted in the cloud, risks can be mitigated by applying proper security controls at each layer of the architecture."
Many cloud providers incorporate security measures such as static code analysis tools at the platform-as-a-service layer to remedy the gaps in a layered security approach, Boren says. Access control is also very important. "If the organization cannot implement or enforce its enterprise identity management solution in the cloud, [it] must make sure that access control policies in place in the cloud are -- at a minimum -- at the level of the organization's policies," he says.
Companies using cloud services are proactively addressing security concerns. Alpine Access, a Denver company that operates a virtual call center for clients, "is always looking to tighten security in light of emerging threats," says Rich Sadowski, vice president of solutions engineering. "We are continually updating our hardware and software, as well as patches."
The company uses Amazon.com's Amazon Web Services across four geographic zones throughout North America for extra availability and security. It has used cloud services for several years for payroll processing, collaboration, customer relationship management and other applications.
Other steps Alpine has taken include deploying a "firewall sandwich" to protect Web application servers and back-end systems. "This configuration is particularly important in the cloud, where back-to-back firewalls often exist at the boundaries of the service provider and enterprise network infrastructures," Sadowski says. He says other effective security technologies include multiple-factor authentication and context-based authentication, which uses contextual information to help confirm a user's identity.
Hult International Business School in Boston runs multiple applications in public and private clouds, including a learning management system, email, file storage and social media tools.
The school's IT department thoroughly researched cloud providers and assessed its own security needs before moving apps to the cloud. "I didn't really focus on vendors' assurances as much as I did on my own research to verify the security of cloud providers," says CIO Yousuf Khan. "The key thing is asking, 'What's the criticality of the application, and have I done my homework when considering moving it to the cloud?' "
Hult also uses security tools such as an identity and access management application from OneLogin, which enables users to go to a portal to be authenticated for access to applications in the cloud.
Organizations that rely on the cloud need to build in expectations for occasional service outages, "because no matter which provider you use, there's an outside chance it's going to happen," Khan says. "You have to develop a good backup plan and operationally know how you will react. It's really just doing a good level of due diligence."
Violino is a freelance writer in Massapequa Park, N.Y. You can contact him at bviolino@optonline.net or follow him on Twitter (@BobViolino).