A number of recently published articles continue the media’s focus on cloud data security. On PC World’s Net Work blog, analyst Tony Bradley points out that despite recent outages in cloud services from major providers, security remains a larger issue than availability:
The debate over cloud availability is silly… local networks and servers are not impervious to outages, so the risk is essentially the same as it pertains to availability. There are, however, other concerns that offer a much more valid argument against cloud services for some businesses. Chief among them is security and privacy. The convenience of outsourcing the IT infrastructure to a cloud-based third party comes with increased risk that your network traffic or stored data could be compromised in some way, either directly by the IT support personnel charged with maintaining your services, or inadvertently by exposing it to increased risk on Internet-based servers.
The post discusses private or hybrid cloud use as a response to security issues. According to a crn.com column, the proliferation of big data projects is another reason that IT security teams may be considering such action:
IT security teams should be on the lookout for business units that may be spinning up servers using a public cloud provider for big data analytics projects because it introduces a variety of security risks, according to a security auditor who frequently reviews the software and infrastructure supporting such projects.
The problem is ease of access (and, it seems to us, lack of corporate governance). IT teams are often skirted by business units that can rent cloud infrastructure in minutes, as executives in those units look to quickly leverage their data.
According to David Barton, principal and practice leader of the technology assurance group at Atlanta-based UHY Advisors, a business consulting firm, infrastructure as-a-service providers are typically the cheapest option to rent computing power, but this carries with it the most risk and responsibilities. “Unless an organization opts to lease a private cloud, the infrastructure in a public cloud environment is typically shared among different users; the location of the data is often uncertain and open to an increased risk of exposure,” says Barton. “Systems can also be open to shared technology vulnerabilities, making them ripe for attack by cybercriminals using automated tools. Denial of service attacks can result in cloud outages, making systems inaccessible for extended periods of time.”
Web application firewall developer Applicure outlines the basic data protection actions cloud users should expect to see implemented:
Access control lists to define the permissions attached to the data objects
Storage encryption to protect against unauthorized access at the data center (especially by malicious IT staff)
Transport-level encryption to protect data when it is transmitted
Firewalls to include Web application firewalls to protect against outside attacks launched against the data center
Hardening of the servers to protect against known, and unknown, vulnerabilities in the operating system and software
Physical security to protect against unauthorized physical access to data
Regardless of whether public, private, or hybrid cloud, user management needs to know what security controls are in place, to what extent these controls are implemented, and what plans are in place to deal with an attack. These questions should be answered sufficiently by cloud providers.
Posted by the Epicor Social Media Team