There is no reason why a public cloud storage system won’t be as secure as most on-premise systems. Indeed, most public cloud-based systems have better security mechanisms than those in traditional data centers. For instance, many provide encryption services for data, both in-flight and at rest. So why do many enterprises still distrust the cloud? Perhaps because it can be confusing to secure your public cloud–based data store or application.
Here are 5 easy steps to understanding and ensuring cloud computing security.
Step 1. Understand your requirements
Few enterprise clients understand the security requirements necessary to implement a secure public cloud storage solution. Typically, they have misinformed notions about the legal and compliance issues around the protection of corporate and government data, such as assuming that it is against the law to store some data in public cloud providers.
Specific items that need to be reviewed in detail include any laws or regulations that require compliance and what technology is mandated (e.g., encryption levels or location of data). Moreover, what are the existing internal policies around data protection, including approaches for evaluating risk? These policies and processes should be formalized and approved by leadership so everything is well understood.
Step 2. Create a plan
Unfortunately, security is often added during the final hours of deployment. Approaching security for the cloud requires a master security plan using the requirements from step 1. Keep in mind that security is systemic to cloud computing: It is part of every step in the plan.
This leads us to the actual security solutions that should be evaluated, including solution patterns and candidate technology such as Ping Identity for a pure, cloud-based security or more-traditional enterprise security solutions such as IBM’s Tivoli.
Step 3. Consider identity-based security
The best approach to cloud computing security considers all assets — including humans, servers, data, processes — as identities that can be managed in terms of access to resources and as resources themselves. We call this approach “identity-based security,” and it considers all resources in system architecture to be things that both have an identity and have to validate their identity to a central security system.
The application of identity-based security to cloud computing is quickly emerging: The ability to manage many different identities, providing fine-grained authentication for access (such as data), is well suited to the distributed computing model behind most cloud computing–based systems.
Specific methods of identity-based security include breaking out most system components, cloud-bound or not, and considering how each interacts with the other. From there, you can determine the best way to identify each component and then how they will be authorized at runtime, typically using identity-based security software.
Step 4. Select the right security technology
Using the requirements you have already determined, pick a few technologies that seem like they might work for you and test them before implementation. Many IT decision makers take the vendor or cloud provider’s word, which is a huge mistake.
POC testing is mandatory: You should go into deployment with no questions unanswered. Questions that you should be asking include:
- Cost of the target deployment?
- Security system performance?
- Interface compatibility with all connected systems?
- Administrative procedures?
- Ability to meet all security requirements, including regulations?
Step 5. Deploy, test, monitor
Once the right security technology is selected, it is time to deploy the technology. Note that you cannot decouple security from the core processes and data but rather must integrate it into the life cycle of the cloud-based system.
Test the security. Many security firms provide “white hat” penetration testing, and a few weeks of that service will either provide insurance that the solution works or will reveal the need for additional configuration.
Finally, understand that monitoring is required over time: Plan on leveraging some sort of dashboard to track how the security system is operating during runtime. Typically, this means watching for hacking attempts and the security system’s ability to protect the core cloud computing system.
Are these easy steps? Yes. Do they require some thinking? You bet. It’s getting tougher for public cloud detractors to defend their position, and by following these steps, you will find that a cloud-based system can be more secure than anything currently in your data center.