Is your critical data safe in the ‘cloud’? asks Simon Withers, the Vice President, Product Management for Global Cloud Services at Sungard Availability.
For a rapidly growing network of companies with critical data, migrating to the cloud has moved from an idea to reality. But while cloud services promise rich economic benefits, scalability and flexibility, they also can trigger significant perceived risks for companies that are highly concerned about security, data protection, reliability and availability.
Primarily, breaches of one’s data can prove both devastating and costly, with any breaches sparking downtime that could lead to potential loss of business, credibility or integrity. Still, for increased security, you may actually want to consider the cloud. While this goes against conventional wisdom, there are reasons it makes sense …
One, partnering with a vendor with a network of dedicated data centres and one that follows a holistic approach to serving customers can alleviate security concerns. Why? Because of the single-minded obsessiveness that these vendors must bring to bear.
Indeed, a third-party data centre with SSAE16 Type II certification will meet and probably exceed the dedicated security elements of centres without this certification through the requirements for strict process, procedures and controls. Any cloud environment should be within this very secure type of data centre (certified by a third party to meet this internationally recognised third-party assurance audit designed for service organisations) even before you question the virtual elements of security in the cloud service itself. You should also ask the provider if access can be granted to said reports itself or indeed can be auditable.
Two, companies that employ the cloud on their own don’t always have the dedicated expertise to evaluate all of their security and data protection needs. One company, for example, had a growing business and wanted to employ the cloud. But its data centre, with a decent-sized server farm, was housed in a converted office space, with cardboard boxes cluttering the space, and a haphazard approach to IT management. Neither system nor access was truly secure, reliable, or available. A data centre with operations already tailored to monitoring and managing services for customers can leverage those well-honed skills to enhance cloud offerings, so even if you’re looking to deploy a private cloud rather than use a shared public cloud consider the physical aspects of where you are going to host it
Safety
Third, data can be protected by taking the proper steps. Although ‘security of my data’ is frequently listed at the top of cloud concern surveys, it’s untrue that data just floats in the cloud where anybody can see it. What is true is that some cloud engagements can provide higher security than others, including do-it-yourself projects. The key is to find the vendor that demonstrates this. No inherent reason exists that automatically makes cloud-based data less secure than data not in the cloud.
Any vendor you partner with should offer a high level of physical security – a network of fully protected secure data centres – and a multi-element security system in the cloud that isolates and safeguards your important company data with firewalls, log and threat management. Data protection is tightened by adding layers of prevention, detection and security.
What about protection from savvy cyber-criminals? A data-protection vendor responsible for safeguarding many customers in the cloud actually can typically thwart cyber-criminals better than organisations can manage on their own because expertise can be pooled and leveraged for maximum scale. An experienced threat manager with security expertise and architects in place can greatly reduce the probability of cyber-attacks occurring in the first place. (Remember, however, that 100 percent protection from a breach can never be guaranteed.)
When a managed services provider with its sophisticated detection systems and defences is monitoring customers, the cloud operations centre can spot and address a perceived problem quickly because of the overall larger dedicated base that must be protected. The IT staff also constantly tests all layers of protection, ensuring that systems are up to date, that all needed patches have been made, and that all housekeeping chores are taken care of. This protects cloud implementations from snooping by other customers within the same environment. Hypervisors prohibit such cross-virtual machine (VM) traffic.
Cost, of course, is a concern that invariably emerges. Usually, cost comes down to how much risk exists and how much you’re willing to spend. Any company using a reputable services provider will get some level of security. But there are multiple variables to consider, including the number of firewalls needed, tighter rules, and degrees of alarm systems. It often becomes a matter of basic security with additional options. Companies with critical data often consider more sophisticated security systems because of the particular sectors they’re in and the sensitivity of their data, or because regulators require a certain level of protection and example of this is PCI DSS and how a Cloud provider can provide service that will ensure that you can gain PCI DSS certification.
Companies with critical data (and really, what company does not have critical data?) that are considering moving to the cloud must adopt a mindset that a cloud environment can actually provide more security. They must demand that their potential providers prove this. This mindset can help you select a provider that can truly enable a secure, reliable, and available production environment for your specific needs.
Getting started is easy to do. Simply ask yourself several key questions, such as:
Can I scale up (and down) easily?
Can my provider clearly demonstrate a high degree of security for my data?
Can the implementation display a level of availability and reliability consistent with my needs and budget?
Can my provider add services on top of what I’ve got, but that I don’t want to handle myself?
Can my data be protected and reliably backed up?
Can my applications in the cloud fail-over to an alternative data centre in the cloud within an SLA [service level agreement]?
Some of these questions aren’t specific to the cloud. But you should address all of them if you’re moving in that direction.
