For most companies, migrating business processes to the cloud offers several benefits. It can reduce overhead, and boost the average worker’s ability to carry out daily tasks. With that said, moving mission-critical services and data to the cloud also comes with some risks, including one that many organizations fail to consider.
When businesses and organizations of any type look to cloud computing, what they’re really talking about is “pooling resources together into one amorphous blob that can be shared across organizations, departments, or customers,” said Johnnie Konstantas, an executive at Juniper.
That pooling of resources allows those organizations to do more with less. However, CIOs and IT pros should understand the risks involved in cloud-based initiatives before signing a contract for services, and that starts with research—lots of research.
Public Cloud
Simply put, organizations must first obtain a baseline from their network, identifying all existing workloads and mapping them to the cloud. This includes existing security layers. Once the base is established, the organization needs to decide whether a public, private, or hybrid cloud solution will fit best with its overall goals.
The chosen option should allow an organization to expand as needed (or shrink, if that’s the case), while maintaining security and efficiency.
Public cloud offerings, such as the ones from Amazon, allow organizations to pay as they go. For smaller operations, the cost benefit of that is almost instantaneous, depending on the provider’s terms.
The main risk associated with the public cloud option is workload segmentation. An organization opting for the public cloud model is placing their data in the hands of a third party. Because of that, the organization needs assurances its workload is separated from that of other customers.
Private Cloud
Private cloud solutions, where computing and storage are deployed within the organization itself, don’t eliminate the concerns usually associated with public clouds.
“When it’s a private cloud, you have similar concerns,” Konstantas explained. “But they tend to be more regulatory in nature. You want to make sure that housing customer data, human resource data, [or] sensitive intellectual property, that you’ve created the proper barriers between these cloud workloads, so that you’re not in danger of violating some sort of regulation, or that you’re not unduly exposing sensitive information to the Internet or to unwanted access.”
The various platforms available for cloud deployments, such as AWS or Azure, should be vetted to ensure they meet the organization’s needs. This includes security assurances (such as isolation), rule-based security that governs continuous VM usage and newly created instances, SLAs, and regular reporting.
“Believe it or not, different service providers vary greatly as to what they offer to you as protections to your cloud,” Konstantas noted. It can go from nothing at all, to a firewall that an organization needs to manage on their own, to something that the provider deploys and manages for customers.
Hybrid Cloud
Once the type of cloud has been selected, organizations should conduct additional research into the types of workloads that will be offloaded to it. The offloaded workloads may require unique layers of security on top of the overall layer of security generally assigned to a digital asset.
For example, customer data should be protected and available only to authorized applications and staff. Picture a workload of customer records and daily transactions. An organization sending that to the cloud needs a layered security approach that ensures protection and regulatory compliance—without hindering access to the data when needed, and without impacting customer experience or internal productivity.
Some organizations navigate through this thicket by opting for a hybrid cloud. They will virtualize a portion of their datacenter, maybe because they want to lower their energy consumption or improve hardware utilization. At the same time, they will move some workloads to a hosted environment, further optimizing productivity and improving user experience by placing the forward-facing applications closer to them online.
The hybrid cloud allows organizations to leverage more processing power and storage as they need it, which is why most experts call it the best of both worlds when talking about the different cloud types.
But the hybrid model also carries risks, including a big one: communication. Organizations that want to deploy a hybrid solution need to ensure a secure tunnel on both endpoints so that the public cloud workloads can communicate with their counterparts in the private cloud.
Securing a hybrid cloud should involve the same layers used in the private and public options, but visibility and access control need to be key considerations. When a new instance is spun up, that instance may not require all the security used in the other parts of the infrastructure, but there should be visibility into what it is doing, along with controls dictating what application or users have access to it, and granular controls placed on the data itself.
Web Apps
Moreover, any Web application used to access data in the cloud must be examined as well. It will need to be secured and optimized to take advantage of the new environment.
“The benefit of new software designed with cloud in mind is that most software developers are, for the most part, aware of the benefits and challenges of cloud environments. Shoehorning legacy software, not to mention legacy security solutions, into cloud environments might cause some organizations to rethink their cloud adoption strategy and give pause to throwing everything into the cloud immediately,” said Andrew Hay, chief evangelist at Cloud Passage.
Application security involves hardening the application against vulnerabilities (such as SQL injection) and business logic flaws, including (in the latter case) ones that would allow a customer to view other customer accounts or manipulate the order process.
The Final Risk
The final unique risk associated with moving to the cloud is one that most organizations never see coming until it’s too late. There are plenty of options in the market for virtualization security, but an organization that deploys too many of these options can lose the benefit of cloud altogether.
In theory, the cloud provides a highly resilient network that can optimize itself for performance, all while making its users’ workday tasks more efficient.
“You don’t want security to come in and take away those benefits,” Konstantas said. “If you have to disable self service, if you have to disable live migration, if your security is so heavy-handed that it slows down traffic or you can’t get as many virtual machines on your virtual machine host, it costs you more. It costs you so much more that you might as well not have gone to the cloud computing model to begin with.”
Thus, cloud usage and security needs to be evened out. The largest risk that organizations face when moving to the cloud isn’t the presence of too little security; sometimes it’s the presence of too much.
Image: caliber_3D/Shutterstock.com
As far as the regulatory, cloud storage systems can distribute data throughout multiple data-centers, and these data centers are not always within US borders. Any large scale data provider cannot tell you where exactly data blocks are being stored unless effort is made up front to cordon off data and even then you need to be damn sure of that, for say medical or research data to meet HIPAA guidelines. The other penalty of a distributed data model is that you do require more processing to restore the information, so some applications requiring extensive I/O can have trouble in cloud environment. Of course there are ways to address these issues, but the time to look at these is before you put your data out there. There is no "retraction" on the Internet...one you post, store, transmit, etc.. anything, be sure that somewhere there is a copy. Places like archive.org make that their mission.
- spam
- offensive
- disagree
- off topic
LikeCloud Computing ! What a concept!
To Legally steal all smaller companies and private individuals information using the "Shroud of the Cloud"! This is not a mad man talking, this is a man who can read the writing on the wall.
If you don't believe me! Congress just passed the "CISPA" bill thru congress. It allows a few American companies to share "Private and Corporate" Data with other companies and to share this with the Government! It also allows the Government to share data with them, Keeping the Corporate world to them selves and violating everyone else's rights! I wonder who those companies are? "IBM, "yes" Microsoft "Oh Yea! and every damn tied in College in the Country! Just to name a few, along with half the banks. This is fact! Read the article in PC Magazine. As we use this cloud to place more and more of our corporate databases and the financial aspects of these smaller companies into the cloud and use the so called shared resources, "Remember, the biggies can see it all! And use it to there advantage and you have not a damn thing to say about it. The Cloud is great for web computing and to use for hosting of web sites but when you move your complete company and the data assets to the cloud you are now open to what they decide for you. And let me remind you of another fact! If they deem this material as sensitive to there needs then you loose everything. That is the second part of that Bill. IT Means "You are left Holding the bag" without any recourse or due process! I am not making this crap up! It's there, right in front of you. Stop it now or even some of the Companies that think there too big, will put there Data, Financial, Personal and other Databases in this "Shroud Cloud" and if someone is bigger "(The Bully's)", they can use that data at their "WILL" and for what ever they deem worthy for thier use! This is not only true, but really sad!
I am trying so hard to not be an alarmest! "But America", "Wake the hell up"! The rug is being pulled out and we are all asleep at the wheel. Please, I beg of you, check it out for your self and put a stop to this! They can take it all, "No Notice, No Recourse, No Warrant, No Justice, and No More "US"
Welcome to the United States of Security", it seems they hide behind freedom but they are taking it all away from us! One "$Bill" at a time!
"A woman who was interviewed on a news program said, "I would rather give up some of my freedom for a little better feeling of security" This woman is clueless!. What gives us our greatest amount of security is our Freedom! This is why everyone who does not llike us is always after us because the Freedom is what loses there followers to our way of life! So they keep comming after us. So instead of passing laws that limit our "freedom" we should be passing "Laws That Insure That Our Freedoms Can Never Be taken Away from Us Or Our Children and There Children and So On!
The Cloud is just a Shroud covering our eyes from what the truth is!
This is Fact!
- spam
- offensive
- disagree
- off topic
Likenice topic!
- spam
- offensive
- disagree
- off topic
Like