Sorting Through Conflicting Information About Private and Public cloud Hosting Environments?
In my daily perusal of cloud industry experts’ blogs, articles and news headlines, I see drastically conflicting points of view about the security and sanctity of both private and public cloud hosting environments. With such varied viewpoints, it seems IT leaders may never reach a consensus on best practices, or even the possibility for security in an outsourced, cloud IT environment. How, then, can any corporate CIO sort through the conflicting information and make an informed decision?
Misperception #1: Perceived Lack of Control in the Cloud
Control means everything to a CIO, and many perceive that hosting sensitive information on an outsourced, shared, multi-tenant cloud platform surrenders every hope for maintaining it.
A niche group of secure cloud hosting providers understands this concern and addresses it by making the same security best practices, regulatory guidelines, and compliance controls that CIOs enforce inside their own internal organizations. But they make this available via a more affordable, outsourced infrastructure model. Backed by facilities, services, policies and procedures that proliferate PCI DSS 2.0, NIST 800.53, ISO 27001 and ITIL, these unique cloud hosting suppliers satisfy CIOs requirements with highly specialized expertise, transparency, and dedicated oversight– often to a degree that would otherwise be cost prohibitive to implement internally.
The thought of outsourcing risk management can also give CIOs nightmares. Depending on a third party for critical tasks like patch management, vulnerability scanning, virus/malware detection, intrusion detection, firewall management, network management, log management and so on constitutes a loss of control, right? Wrong!
Through secure systems access, dynamic dashboards, insightful portals, transparent configuration and risk reports in real time, secure hosting partners give CIOs control over their systems. In fact, CIOs should regard an outsourced host as an extension of their own IT departments.
Misperception #2: Perceived Lack of Security in a Multi-tenant Cloud
Fear about co-mingling logically unrelated virtual machines and data on a single physical server with remote access capabilities keeps public cloud opponents busy. Obtaining a comfort level with the reliability of information isolation and separation in a multi-tenant cloud is paramount for CIOs. So how do outsourced IT service providers secure a virtual environment hosted in a multi-tenant cloud? The same security best practices that apply to a dedicated, standalone information system apply to a virtualized environment.
Virtual machines live in a virtual network on the hypervisor (the operating system upon which a VM resides.) With proper VM isolation, no other tenants can access or even see the other VMs or data. The same ideology applies to network security in a virtualized environment, as well. Simply implement firewalls in front of each VM. Even if the data can be separated successfully, what about data destruction? The time consuming nature and expense make degaussing disks a rare practice in a public cloud hosting environment. Instead, cloud providers often employ an extremely effective and DoD-approved disk wiping utility which performs a number of passes to properly remove data from the target storage unit.
The Reality
CIOs have a fiduciary duty and the ultimate responsibility (legally and ethically) to ensure that the corporation’s sensitive information and data are protected from unauthorized access. CIOs also have limited budgets and resources to work with so they are always researching new and emerging technologies that will reduce cost, increase security and scalability, and maximize efficiencies in their infrastructure. Independent studies have demonstrated that both IaaS and SasS cloud models decrease cost, increase scalability and are extremely efficient when it comes to rapid deployment of new systems.
A meager 3% of the CIOs surveyed in Gartner’s 2011 CIO Agenda reported that the majority of their IT operations reside in the cloud today. 3%. Seems low, doesn’t it? As you can see, a variety of reasons have delayed CIOs decisions to adopt cloud architecture. But with more quality information at their fingertips and proven results in the rearview mirror, the trend is changing.
By 2015, 43% of CIOs expect to have the majority of their IT running in the cloud on Infrastructure-as-a-Service (IaaS) or Software-as-a-Services (SaaS) technologies. In summary, cloud security, if architected and configured properly, can securely host and protect your information systems and sensitive data.
Read More in SecurityWeek’s Cloud Security Section