This article originally appeared in the April 2011 issue of InfoTECH SPOTLIGHT
Managed cloud services have emerged as excellent alternatives to procuring, building and maintaining new infrastructure for medium and large enterprises. However, it seems as though the adoption rate for cloud is significantly higher for non-core, non-production applications than it is for applications deemed critical for the day to day functions of these same medium and large enterprises. A customer recently pointed out that the reasons for the slower adoption include:
1. There is a perception that cloud is still too new and lacks the controls and processes to replace traditional managed hosting environments.
2. There is an inconsistent message from cloud providers about the ability to maintain confidentiality, integrity, and availability in shared cloud environments.
3. There seems to be a lack of support for compliance management in shared cloud environments.
I understand these points; however, I would contend that, given the right managed cloud service provider, these concerns would be quickly laid to rest through careful planning, discussion and design. Any leading cloud provider should be able to support the security, compliance and auditing necessary for the total outsourcing of any corporate applications. These providers should be able to employ an existing infrastructure to leverage the ongoing management of multiple customer environments, lowering the total cost of management and support. For example, these providers may have a shared backup infrastructure, a common patch management platform, and centralized monitoring and management tools.
Here are the key components of a highly secure cloud environment that a reputable cloud provider should be able to offer:
1. A Secure Physical Infrastructure – The data centers in which the cloud environment is housed should be a highly-rated data center facility leveraging redundant power utility feeds, UPS backup, and backup generators. This facility should be guarded 24/7, and access should be restricted to badge and biometric access for authorized individuals. The cloud locations should be geographically diverse and offer disaster recovery consistent with the application requirements.
2. Audited Logical Controls – The cloud infrastructure should be protected by the appropriate logical access controls including, but not limited to, two-factor authentication; authorization based on least privilege; intrusion detection and notification; and restrictive access controls.
3. Technical Security Controls – The applications and the systems that support those applications should be protected by the same controls that enterprises use to protect the traditional hosted environment. These controls include firewalls, Anti-Virus software, vulnerability management, network segmentation, file integrity management, and application-layer firewalls.
4. Monitored Access – All traffic destined for, or sourced from, the cloud environment should be inspected for potentially invasive or intrusive activity. Log aggregation and event correlation is an important part of surveillance and being able to determine potential attacks or breaches. This information can be correlated with logical access logs, anti-virus scanning and real-time protection, intrusion detection logs, and automated vulnerability assessments.
While these four key components do not fulfill all of the compliance requirements for industry regulations and state and federal laws, they do address the majority of the security infrastructure that would be necessary to maintain a highly secure cloud environment compliant with HIPAA, PCI (News - Alert), GLBA, SOX, and state consumer and resident protection laws. By leveraging the core security solutions that have been purpose built for a virtual environment, cloud customers are able to meet the auditing requirements of both third-party agencies and customers.
As the physical boundaries of corporate IT systems in medium and large enterprise continue to dissolve and these organizations become more open to employing similar logical security mechanisms in cloud environments, the adoption rate of cloud for core applications will accelerate and more organizations will benefit from leveraging a scalable, virtual environment that provides on-demand capacity and elasticity. These cloud-enabled organizations will experience lower costs of compliance, higher returns on investment, and models that provide the flexibility necessary to meet business needs.
Allen Allison is chief security officer of NaviSite (News - Alert). During his 20+ year career in the information security industry, he has served in management and technical roles, including the development of NaviSite’s industry-leading cloud computing platform.