TL;DR: Securing your company’s cloud-based assets starts by applying tried-and-true data-security practices modified to address the unique characteristics of virtual-network environments. Cloud services are slowly gaining the trust of IT managers who are justifiably hesitant to extend the security perimeters to accommodate placing their company’s critical business assets in the cloud.
The fast pace of technological change doesn’t faze IT pros, who live the axiom “The more things change, the more they stay the same.” The solid security principles that have protected data centers for generations apply to securing your organization’s assets that reside in the cloud. The key is to anticipate the new threats posed by cloud technology — and by cyber criminals who now operate with a much higher level of sophistication.
In a September 18, 2014, article, ZDNet’s Ram Lakshminarayanan breaks down the cloud-security challenge into four categories: 1) defending against cloud-based attacks by well-funded criminal organizations 2) unauthorized access and data breaches that use employees’ stolen or compromised mobile devices 3) maintenance and monitoring of cloud-based APIs, and 4) ensuring compliance with the growing number and complexity of government regulations.
IT departments are noted for their deliberate approach to new technologies, and cloud-based data services are no different. According to a survey published this month by the Ponemon Institute of more than 1,000 European data-security practitioners (pdf), 64 percent believe their organization’s use of cloud services reduces their ability to protect sensitive information.
The survey, which was sponsored by Netskope, blames much of the distrust on the cloud multiplier effect: IT is challenged to track the increasing number and type of devices connecting to the company’s networks, as well as the cloud-hosted software employees are using, and the business-critical applications being used in the “cloud workspace.”
Building trust between cloud service providers and their IT customers
No IT department will trust the organization’s sensitive data to a service that fails to comply with privacy and data-security regulations. The Ponemon survey indicates that cloud services haven’t convinced their potential customers in Europe of their trustworthiness: 72 percent of respondents strongly disagreed, disagreed, or were uncertain whether their cloud-service providers were in full compliance with privacy and data-security laws.
Even more troubling for cloud service providers is the survey finding that 85 percent of respondents strongly disagreed, disagreed, or weren’t sure whether their cloud service would notify them immediately in the event of a data breach that affected their company’s confidential information or intellectual property.
The Morpheus database-as-a-service puts data security front and center by offering VPN connections to your databases in addition to online monitoring and support. Your databases are automatically backed up, replicated, and archived on the service’s SSD-backed infrastructure.
Morpheus also features market-leading performance, availability, and reliability via direct connections to EC2 and colocation with the fastest peering points available. The service’s real-time monitoring lets you identify and optimize the queries that are slowing your database’s performance. Visit the Morpheus site for pricing information and to sign up for a free account.
Overcoming concerns about cloud-service security
Watching your data “leave the nest” can be difficult for any IT manager. Yet cloud service providers offer a level of security at least on par with that of their on-premises networks. In a September 15, 2014, article on Automated Trader, Bryson Hopkins points out that Amazon Web Services and Microsoft Azure are two of the many public cloud services that comply with Service Organization Control (SOC), HIPPA, FedRAMP, ISO 27001, and other security standards.
The SANS Institute’s Introduction to Securing a Cloud Environment (pdf) explains that despite the cloud’s increased “attack surface” when compared with in-house servers, the risk of cloud-based data being breached is actually less than that of losing locally hosted data. Physical and premises security are handled by the cloud service but can be enhanced by applying a layered approach to security that uses virtual firewalls, security gateways, and other techniques.
Cloud services avoid resource contention and other potential problems resulting from multi-tenancy by reprovisioning virtual machines, overprovisioning to crowd out other tenants, and using fully reserved capacities.
Another technique for protecting sensitive data in multi-tenant environments is to isolate networks by configuring virtual switches or virtual LANs. The virtual machine and management traffic must be isolated from each other at the data link layer (layer 2) of the OSI model.
In a June 27, 2014, article on CloudPro, Davey Winder brings the issue of cloud security full circle by highlighting the fact that the core principles are the same as for other forms of data security: an iron-clad policy teamed with encryption. The policy must limit privileged-user access by the service’s employees and provide a way for customers to audit the cloud network.
One way to compare in-house data management and cloud-based management is via the farmer-restaurant analogy described in a September 15, 2014, article by Arun Anandasivam on IBM’s Thoughts on Cloud site. If you buy your food directly from the farmer, you have a first-hand impression of the person who grew your food, but your options may be limited and you have to do the preparation work. If you buy your food from a restaurant, you likely have a wider selection to choose from and you needn’t prepare the meal, but you have less control over the food’s path from farm to kitchen, and you have fewer opportunities to determine beforehand whether the food meets your quality requirements.
That’s not to say farmers are any more or less trustworthy than restaurants. You use the same senses to ensure you’re getting what you paid for, just in different ways. So check out the Morpheus database-as-a-service to see what’s on the menu!