Discussions around cloud security tend to be framed in terms of lonely ships sailing into uncharted waters: “You don’t know what you’re getting into,” we’re routinely warned. Actually, we do. The fact is, the fundamental security challenges confronting a company seeking to source IT infrastructure services in the cloud are essentially the same as those faced in traditional outsourcing. Various potential risks – data center vulnerability, network intrusion, unauthorized system access, data privacy, natural disasters, etc. – must be assessed and addressed to provide an acceptable level of security for data centers, operating systems, storage environments, and networks.

What’s different in a cloud setting? It’s that the infrastructure “layers” involved may be more decentralized, are most likely shared with other customers, and have more complex IT operational processes, whereby processing may be moved among the provider’s data centers to load-balance.

Due diligence therefore comprises focusing on exactly the same traditional security concerns, asking the same “first round” questions about each infrastructure layer, and following up with more questions as complexities emerge. Ultimately, what’s needed to solve the mystery of cloud security is to “peel back the onion” – to systematically evaluate the security of each infrastructure layer, and to then assess additional risks inherent in the provider’s cloud architecture and operational environment.

Consider, for example, a virtual private cloud (VPC), where some, but not all, infrastructure components are dedicated to each customer. In other words, CPUs and storage may be dedicated, while server racks and physical network segments are shared. From a high-level perspective, assessing security may seem daunting as the environment is “new” and complex. But by systematically addressing the security concerns at each layer of the infrastructure “onion,” and then at the overarching cloud level, a viable approach readily emerges.

The first and foremost assessment question for a VPC is: What’s dedicated and what’s shared? While this has to be understood at a very deep technical level in order to perform a security assessment, providers have this information readily available. If the provider’s cloud solution has dedicated storage and servers, then the “first round” of due diligence is to use the customer’s “conventional” security criteria to assess the dedicated servers and storage security. Specifically, the servers’ virtual and operating systems’ security is assessed as it would be in a traditional hosted server environment.

As for public clouds, in a VPC the shared infrastructure components and cloud operating processes create security risks above and beyond those in a traditional hosted server environment. If server racks are shared, their architecture’s compliance with the customer’s security policies must be evaluated. If the provider’s processes include moving data between data centers to balance loads, compliance with the client’s data privacy and security requirements must be addressed.

As a client, the key to evaluating cloud security is understanding the cloud implementation details and “peeling back the onion.” This approach leads to a series of tractable security assessments that can be addressed using conventional evaluation processes. While the issues involved are complex, the complexity can be systematically addressed – layer by layer.

Originally posted by Steve Follin, Director, TPI Cloud Services, on Consider the Source

Cloud Security: Peeling the Onion

Categories

All

General

Accessibility

Business events

Business innovation

Cloud computing

Communications

Copyright

Data centers

Digital economy strategy

Economic development Canada

eCommerce

eHealth

eLearning

Enterprise Resource Planning (ERP)

Gadgets

Geo-blocking

Green technology

Investment

Mashups

Mobility

New technologies

Olympic technology

Outsourcing

Project management

Sales and marketing

Security

SMB

Social media

Social networking

Software as a Service (SaaS)

Speakers Corner

Start Up Innovation Campaign

Tech events

Technology law

Technology start-ups

Trends

Unified Communications

Usage based billing

Web 2.0

Wireless


Archives

May 2012

April 2012

March 2012

February 2012

January 2012

December 2011

November 2011

October 2011

September 2011

August 2011

July 2011

June 2011

May 2011

April 2011

March 2011

February 2011

January 2011

December 2010

November 2010

October 2010

September 2010

August 2010

July 2010

June 2010

May 2010

April 2010

March 2010

February 2010

January 2010

December 15, 2011 5:15 AM

Discussions around cloud security tend to be framed in terms of lonely ships sailing into uncharted waters: “You don’t know what you’re getting into,” we’re routinely warned. Actually, we do.

The fact is, the fundamental security challenges confronting a company seeking to source IT infrastructure services in the cloud are essentially the same as those faced in traditional outsourcing. Various potential risks – data center vulnerability, network intrusion, unauthorized system access, data privacy, natural disasters, etc. – must be assessed and addressed to provide an acceptable level of security for data centers, operating systems, storage environments, and networks.

What’s different in a cloud setting? It’s that the infrastructure “layers” involved may be more decentralized, are most likely shared with other customers, and have more complex IT operational processes, whereby processing may be moved among the provider’s data centers to load-balance.

Due diligence therefore comprises focusing on exactly the same traditional security concerns, asking the same “first round” questions about each infrastructure layer, and following up with more questions as complexities emerge. Ultimately, what’s needed to solve the mystery of cloud security is to “peel back the onion” – to systematically evaluate the security of each infrastructure layer, and to then assess additional risks inherent in the provider’s cloud architecture and operational environment.

Consider, for example, a virtual private cloud (VPC), where some, but not all, infrastructure components are dedicated to each customer. In other words, CPUs and storage may be dedicated, while server racks and physical network segments are shared. From a high-level perspective, assessing security may seem daunting as the environment is “new” and complex. But by systematically addressing the security concerns at each layer of the infrastructure “onion,” and then at the overarching cloud level, a viable approach readily emerges.

The first and foremost assessment question for a VPC is: What’s dedicated and what’s shared? While this has to be understood at a very deep technical level in order to perform a security assessment, providers have this information readily available. If the provider’s cloud solution has dedicated storage and servers, then the “first round” of due diligence is to use the customer’s “conventional” security criteria to assess the dedicated servers and storage security. Specifically, the servers’ virtual and operating systems’ security is assessed as it would be in a traditional hosted server environment.

As for public clouds, in a VPC the shared infrastructure components and cloud operating processes create security risks above and beyond those in a traditional hosted server environment. If server racks are shared, their architecture’s compliance with the customer’s security policies must be evaluated. If the provider’s processes include moving data between data centers to balance loads, compliance with the client’s data privacy and security requirements must be addressed.

As a client, the key to evaluating cloud security is understanding the cloud implementation details and “peeling back the onion.” This approach leads to a series of tractable security assessments that can be addressed using conventional evaluation processes. While the issues involved are complex, the complexity can be systematically addressed – layer by layer.

Originally posted by Steve Follin, Director, TPI Cloud Services, on Consider the Source

Blogger Profile: Consider the Source
TPI is the leader in guiding organizations through effective, lasting transformation of their business support operations. Around the globe we have helped hundreds of clients reduce operating risks, streamline complex operations, improve the cost of support functions, achieve sustainable improvements and make competitive gains. Decisions to change and successful transition of existing operations to new service delivery models is hard — and replete with risks. While the decisions are never formulaic, the hard-earned lessons of hundreds of prior evaluations are invaluable.

Posted by Sue Ansell at December 15, 2011 5:15 AM

Categories: Cloud computing Outsourcing Security

Comments

Name
URL (remove the http://)
Email
Comments (field is limited to 2000 characters)
   

TrackBack Link

Bookmark and Share           Print Page          Email To A Friend
Start Me Up Innovation Campaign winner

WCIT C200 Investment Forum

Insightful business speaker Jim Harris talks innovation in 
Speaker's Corner 

Backbone magazine Speakers' Corner 

Backbone magazine latest digital issue

Backbone's Cloud Portal

Backbone's Digital Economy Acceleration Committee

Backbonemag on Twitter

Magazine  |  Events  |  Careers  |  Backblog  |  Press Releases  |  Book Reviews  |  About Us  |  Media Kit
© 2006-2012 Backbone Magazine. All Rights Reserved. Privacy Policy | Terms of Use.   ___
Web Marketing Software by Marqui