In our last Cloud post (Cloud Computing Risks and Rewards) we discussed a number of Cloud risks related to security:
- Data location (Do You Know What Your Data Is Doing When You’re Not Looking?)
- SAS70 and PCI Compliance
- Data protection (IDS, IPS, firewall, etc)
These risks don’t “demonize” the cloud – but rather raise some critical questions regarding the protection of company data that’s migrated to cloud servers. The security of the cloud is still a bit (forgive the pun) cloudy to most – and may integrate well with existing security policies, protocols, and infrastructure.
Christofer Hoff – who offers excellent cloud perspective in his blog Rational Survivability-
claims it’s not the nature of cloud computing businesses should be worried about, but rather how companies implement and manage cloud computing.
“We’re struggling less with security technology solutions (as there really are few) but rather with the operational, organizational, and compliance issues that come with this new unchartered (or pooly chartered) territory,” Hoff wrote in his post Security and the Cloud – What Does That Even Mean?
Hoff’s quote pinpoints the simple source of our worries: we’ve developed a standard for IT security and compliance that’s being disrupted by something new. The question now is not whether companies should migrate to the cloud. The question is how our existing security methodologies will translate and apply to cloud computing. Since no industry standard for cloud security compliance has been adopted, organizations must steer their own ships as they sail toward cloud solutions.
Four ways organizations can retain appropriate data security as they implement elements of the cloud:
- Policy reviewing. A few thorough reads of your cloud provider’s policy will likely explain the rights they reserve to store and protect your data.
- SAS70 and PCI Compliance. As we said in our last post, SAS70 and PCI compliance policies may uncover details that aren’t specified in service agreements. They’re standards for cloud peace of mind.
- Choosing a public, private, or virtual private cloud. Public clouds allow secure employee access to company data from any system anywhere. Private clouds are more costly, granting access from company systems or systems within the company’s LAN network, providing greater control over data resources and security. Virtual private clouds use a public cloud infrastructure in a private /semi-private manner, providing more balance between cost efficiency and security.
- Leveraging ITIL methodology. ITIL offers a one-size-fits-all starting point for IT methodology. As more business adopt cloud applications, businesses will have opportunities to apply ITIL methodology to a new generation of computing.