Security is the hottest topic in town when considering moving your business to the Cloud, especially if you plan to use an external provider or, even worse, more than one provider. How do you make sure your data are “secure” out there? Here are ten simple rules to follow in if you want to stay on the safe side of Cloud Computing.
There are many kinds of clouds: private and public, just to name the two most common ones.
Private clouds are usually run over a more or less dedicated infrastructure operated by an external provider. Public clouds, on the other hand, run on shared infrastructures by the folks at Microsoft BPOS, Amazon EC2, Google Apps, Salesforce.com, and others. The list is long and getting longer every day.
In choosing and working with one of these providers, it’s good to follow a simple set of rules, some of which have nothing to do with Cloud Computing at all. In fact, they apply just as well to your internal IT.
1. Consistent policies and processes governing information security: There is no such thing as external and internal security. It’s all about security, stupid! You need a a reliable framework of rules, regulations, policies and processes that everyone in you IT knows and follows.
2. Risk-awareness and protection needs analysis: Deciding where to store which information and what to demand from your cloud provider calls for some deep thinking. The only way to be sure you’ve thought of everything is by following tried and proven risk management procedures and conducting a thorough protection needs analysis.
3. Well-structured, risk-oriented processes for choosing providers: Finding the right provider calls for a standardized and centralized approach. Employ sloppy, haphazard decision processes at your peril!
4. Clearly defined Service Level Agreements: Make sure you and your provider agree (in writing!) exactly what you’re signing up for. Set out milestones and metrics for making sure you get what you’re paying for.
5. Sustainable quality of service: Everything your provider delivers needs to be measured by a commonly agreed yardstick. Make sure you have one!
6. Encyption end to end: Wherever data can be encrypted, make sure it is! This goes especially for data storage: Does your cloud provider really need to know what ‘s in the bites you put on his server?
7. Consistent identity and entitlement management: Nothing is more important in the Cloud than proper user authorization. Use standards such as SAML, SPML and XACML whenever you can, but even more importantly: Make sure the concept you chose is sound!
8. Managing and controlling privileged users: Trust is good, but control is better! Keep an eye on your admins – not only in the Cloud. What are operators and administrators allowed to do in your systems? Is their behavior auditable? And just how much harm can a rogue admin working for your cloud provider cause your company?
9. Use anonymizers and masking technologies: Sometimes there is no need to store the real data in the Cloud. Advances in technologies such as anonymizing and masking are becoming more widespread.
10. Pre-defined fallback and migration scenarios: Are you really certain you can get your all data back if you decide to switch providers and that none will remain out there in the Cloud? This isn’t just an availability issue, it’s about data security, too. You need to have rules in place from day one to ensure that you can exit painlessly whenever you want.
By now it should be clear that Cloud Security is about a lot more than just technology. Yes, technology is important, and some technologies still need to mature, especially in such areas as Information Rights Management, Authorization, and the processing encrypted data, just to name a few.
But the main thing is making sure your organization is ready for the Cloud. This calls for processes and rules that govern the way your cloud strategy is implemented, operated and monitored. That way, you can be sure you’re dealing with the right cloud provider, and that he knows exactly what is expected from him.