Cloud Security and Privacy

The ever-present question however, is whether it is safe to put mission-critical data on the cloud. The very term “cloud” implies that your sacred information is being stored someplace, and you probably don’t even know where or how. To little surprise, security is the far biggest concern among those considering cloud computing technology.

Yet, cloud computing is too big to ignore. It is likely the most significant shift in computing paradigms in the past 30 years. That shift is well underway, with consumers, small and midsize businesses, and even large enterprises putting applications and data into the cloud. They are shifting from pure on-premises applications and data storage to virtualized servers with hopefully reputable vendors.

If you’re an IT manager, it’s good to be paranoid. Losses from cybercrime and attack can be enormous, and the 2008 CSI Computer Crime and Security Survey show an overall average annual loss of just under $300,000.

It may seem like a leap of faith to put your valuable data and applications in the cloud, and to trust cloud computing security to a third party. Yet faith is not a part of the equation, nor should it be. Every enterprise needs to know that its data and applications are secure, and the question of cloud computing security must be addressed.

In fact, the cloud does have several security advantages. According to NIST, these cloud computing security advantages include:

· Shifting public data to a external cloud reduces the exposure of the internal sensitive data

· Cloud homogeneity makes security auditing/testing simpler

· Clouds enable automated security management

· Redundancy / Disaster Recovery

All four points are well taken. Cloud providers naturally tend to include rigorous cloud computing security as part of their business models, often more than an individual user would do. In this respect, it’s not just a matter of cloud computing providers deploying better security, the point is, rather, that they deploy the precautions that individual companies should, but often don’t.

Is 2010 the year of cloud platforms?

Most application providers impose some level of security with their applications, although when cloud application providers implement their own proprietary approaches to cloud computing security, concerns arise over international privacy laws, exposure of data to foreign entities, stovepipe approaches to authentication and role-based access, and leaks in multi-tenant architectures. These security concerns have slowed the adoption of cloud computing technology, although it need not pose a problem.

Are cloud “platforms as a service” the answer? The very nature of a cloud platform is that it imposes an instance of common software elements that can be used by developers to “bolt on” to their applications without having to write them from scratch. This advantage is especially useful in the area of security. The cloud platform brings an elegant solution to the security problem by implementing a standard security model to manage user authentication and authorization, role-based access, secure storage, multi-tenancy, and privacy policies. Consequently, any SaaS application that runs on the common platform would immediately benefit from the platform’s standardized and robust security model.

Are private clouds the answer?

The term “private cloud” likely sounds like a misnomer because it really is. A private cloud generally refers to cloud computing technology within a firewall. In many cases, you can probably even touch the box that it runs on, so it’s not really “in the cloud”. Be that as it may, so called private clouds may be the ultimate solution for enterprises that want the best combination of benefits and risks. With a private cloud, enterprises can dramatically lower their time, risks and costs of engineering and maintaining Web-based software systems, without the security concerns associated with remote hosting. The easiest way to implement a private cloud may be to leverage an open platform, which inherently takes advantage of open APIs. This way, enterprises can build and integrate cloud-enabled systems over time without the proprietary dependencies.

Superior physical security through cloud computing provider

Lack of physical security is the cause of an enormous amount of loss, and insider attacks account for a surprisingly large percentage of loss. And while the specter of black hats hacking into your network from a third world country is very much real, very often, the “black hat” is in reality a trusted employee. It’s the guy from the Accounting department who you have lunch with. It’s the lady who brings you coffee in the morning and always remembers that you like two sugars. It’s the recent college grad with so much potential, who did such a great job on that last report.

Of course, insiders can attack your network and data regardless of where it is located, given enough incentive and information, but physical proximity of the actual hardware and data makes it much easier to gain access, and cloud data centers tend to have better internal physical security protocols, including locked rooms, regulated access, and other protections against physical theft and tampering.

Conclusion: Superior security through the cloud

Besides physical security, technical security is of the utmost importance. Hosting your own servers and applications requires extra measures. A larger organization may need to deploy dedicated IT staff to security only. Cloud computing, on the other hand, builds cloud computing security directly into the cloud platform. While the company still must maintain in-house security in any case, the provider ensures that the applications and data are safe from attack.

We tend to think that retaining control over everything is inherently more secure, when this is not the case. Smaller companies especially may lack the skilled security staff in-house, and even larger firms often just don’t have the resources to dedicate to implementing rigorous security on an ongoing basis. A cloud computing provider on the other hand, which offers a detailed service level agreement and retains skilled security staff in-house, will often provide superior security when compared with the in-house alternative.

For more information about cloud computing, please visithttp://www.cloudipedia.com for a free copy of “Cloud Computing Made Easy.” Cloudipedia is a property of Virtual Global, a provider of cloud-enabled enterprise IT solutions and the TeamHost™ cloud computing platform for building SaaS applications without programming.

http://www.virtualglobal.com

http://www.teamhost.com