Hardening the Cloud
Security considerations to protect your organization
Illustration by Mick Wiggins
Security concerns abound when it comes to cloud computing. In an online poll recently conducted by Unisys Corporation, 51 percent of 312 responders said security and data privacy concerns remain the most significant impediment to cloud computing adoption. In another poll conducted by Unisys in a June 2009 webinar, 72 percent of the respondents cited security as their greatest concern for moving workload to the cloud. Are these concerns justified or do they reflect a fear of the unknown? Let's take a look.
Clear Up Cloud Consideration
When you take advantage of any new technology, you must decide whether it's just cool or actually meets your business needs. Both in terms of hardware and software licenses, cloud computing has the potential to save significant money over hosting your own computing resources. But just because it saves money doesn’t necessarily mean it’ll meet your business requirements. Specifically, you must examine both the technology and the provider to ensure they can meet your organization’s security policy requirements, legal requirements for issues such as information discovery during a lawsuit, and the compliance requirements of all of the laws and regulations that apply to your organization.
Much of whether cloud computing meets your business requirements depends on the type of data being stored, manipulated or shared in the cloud.
If you’re thinking of using the cloud to manage information containing personally identifiable information (PII), HIPAA or Payment Card Industry (PCI) data, or data that’s highly confidential or valuable to your organization, examine your organization’s security policy regarding this type of data. For example, if you store credit card numbers, your security policy will reflect the PCI requirements that cardholder data be encrypted when it flows over a public network or when it’s at rest (i.e., stored in a file or spreadsheet). If you’re going to send PCI or any other data that’s required to be encrypted to the cloud, you’ll want to question the provider to determine if it can meet your encryption needs. And don’t forget about the encryption key management requirements. You’ll also want to make sure access controls can be set on these objects and that they’re set to “deny by default.”
While it may be relatively easy to avoid attacks that exploit poor choices in security settings, defending against a targeted attack is basically like going to war with a hacker.