Michael C. Pelletier, MBA, MSCS
When speaking with businesses about cloud computing, there are many benefits that surface— elasticity, agility and cost savings among them. But there are also some concerns that emerge, with security usually at the top of the list.
While it isn’t unreasonable that security should be called into question within the context of cloud computing, it is important to ensure that the scrutiny is focused on the right components. People need to know that the vital information they have stored in the cloud is safe from outside harm.
As with any software or service purchase, there should be a vetting process to determine whether a given cloud provider meets an organization’s needs. Focusing on security, there are actually several aspects to evaluate and consider. The truth is this: depending on the size of an organization, it is quite likely that the data center is less secure than what many cloud providers have in place.
Essentials of Cloud Security
That said, not all cloud providers are equal. Here are some of the most critical areas of focus to ensure cloud security:
Design and Operational Excellence—The overall design and approach to security is something that should be at the forefront of the provider’s operation. Security should be a focus of continuous improvement within the organization and not treated as an afterthought. An assumption of breach should also be pervasive with a defense-in-depth approach and internal simulation of attacks on various layers of the infrastructure.
Infrastructure Protection—Whether it’s 24-7 monitoring of the physical security of the facility, monitoring and logging of the systems themselves or monitoring of intrusion attempts, a comprehensive set monitoring services is a requirement. It is incumbent upon an organization to inform its customers in the event of a breach, and a comprehensive monitoring solution makes this possible.
Network Protection—Within the cloud providers should be a networking infrastructure that allows your on-premise assets the ability to securely connect to your cloud assets. Likewise, unauthorized traffic to and within the data center should be blocked using firewalls, partitioned local area networks and physical separation of back-end servers from public-facing ones. Virtual networking, encrypted communications and network isolation are key capabilities.
Identity and Access—Governance around users, application access and security is a crucial component of a cloud-computing platform. The ability to monitor and log access, provide multi-factor authentication and have single-sign-on integration with an existing on-premise directory infrastructure are important components of a successful cloud deployment.
Data Protection—Securing data in transit is something we’ve all become accustomed to using. SSL is omnipresent in any online transaction. That said, what about data at rest? Organizations should have the ability to encrypt data stored on cloud servers. In addition, although most cloud services are multi-tenant, the provider should employ a logical isolation of data from customer to customer. Finally, a data destruction practice should be defined so that if/when an organization stops using a given cloud vendor’s service, their data is physically removed/destroyed from resources before being reused.
Privacy—Privacy is one the most important factors to consider when evaluating the security of a cloud vendor. First and foremost is the contract. There should very specific privacy statements that make strong commitments to safeguarding the customer’s data. For some customers, knowing and controlling the physical location of the data is also important. Finally, access to data should only be done when supporting the customer; access should be denied by default and should be granted only within the context of a controlled and logged activity. It certainly shouldn’t be mined for advertising and related services.
Compliance—Lastly,the need for compliance varies from organization to organization with the specific industry often playing a key role in dictating what’s required. That said, the service provider should, at the very least, be certified for ISO 27001 and audited for SOC 1 Type 2 and SOC 2 Type 2. Additional industry specific certifications that may be relevant include PCI-DSS, United States FedRAMP JAB, IL2, HIPAA and HITECH.
There is much that goes into an organization’s cloud security, and it needs to be tailored to that organization’s needs, risk tolerance and industry regulations. A hybrid approach that moves certain workloads to the cloud but leaves others on-premise has proven quite effective, and it provides organizations with a good balance between the benefits of cloud computing and the risks.
Michael C. Pelletier, MBA, MSCS is a partner with BlumShapiro, the largest regional accounting, tax and business consulting firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with nearly 400 professionals and staff, offers a diversity of services which includes auditing, accounting, tax and business advisory services. In addition, BlumShapiro provides a variety of specialized consulting services such as succession and estate planning, business technology services, employee benefit plan audits, litigation support and valuation, and financial staffing. The firm serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies.