How to use cloud computing safely

After listening to participants at Interop on Thursday, you said that you think it is difficult to meet security audit requirements, but if you want to get your data on the cloud, you should try to pass that audit.

Chris Richter, Savvis's vice president of security services, is leading a cloud computing security team. In his opinion, auditors should focus on keeping the business a well-defined standard. These safety standards do not exist for the cloud computing environment. Therefore, auditors should be cautious. They need to be very strict, and in the event of a mistake, they will probably be beyond redemption.

These rules should keep pace with the times. However, these rules do not currently exist. As a result, organizations need to be cautious about the types of data they are submitting to cloud computing to ensure they meet regulatory compliance standards, such as ensuring verifiable compliance with regulations such as HIPAA, PCI and Sarbanes-Oxley among these standards.

Richter said auditors want to see the inside of cloud computing. This is not allowed by many cloud computing providers. Many cloud computing providers are confidential about their physical architecture, policies, security, virtual LAN architecture, and other important factors. If you do not see how the data is flowing and how the VLAN is fragmented, do not allow your data to be separate from other people's data. Do not allow this.

Richter said that complicating the issue is how identity and access management are handled so that unauthorized users can not get into the cloud. He said I do not yet know anyone who implements true and effective identity and access management in cloud computing.

That said, he believes it is possible to use proprietary cloud computing for the most sensitive information. He said I know the most powerful proprietary cloud computing. I have the confidence to put my most valuable data there. Part of the reason for this is that organizations retain control over data, applications, and infrastructure in private cloud computing. You can trust more in what you do.

Regardless of whether a cloud is trusted by the business and approved by auditors, the responsibility for data protection remains with the business. External applications, platforms, or infrastructure do not outsource responsibility.

If a cloud computing provider is widely perceived to comply with security standards, this does not mean that individual businesses that use this cloud computing service will meet the standards. Formal Your end user is responsible for compliance, not for service providers.

Richter has set out eight steps for organizations planning to use some form of cloud computing that allow them to safely move from proprietary, legacy infrastructure to cloud computing by following these steps:

1. Evaluate your application. Some applications have a very close relationship with your enterprise system and are not suitable for cloud computing.

2. Classification data. Determine what is sensitive data, what is not sensitive data. This result can determine what kind of cloud computing you choose.

3. Determine the type of cloud that best suits you: Software as a Service, Platform as a Service, or Infrastructure as a Service.

4. Choose the delivery method. Proprietary cloud computing, self-managed cloud computing, managed or external cloud computing, public cloud computing, enterprise cloud computing from high, hybrid cloud computing.

5. Designated platform architecture. This should include technical specifications for computing, storage, backup, network routing, virtualization and dedicated hardware.

6. Specify safety controls. This should include firewalls, intrusion detection / prevention systems, records management, application protection, data loss protection, identity and access control, encryption and security vulnerability scanning, and more.

Policy requirements. Check out the cloud provider's policies to make sure their policies meet your needs. "Believe me, every provider's policy is very different."

8. Check the service provider itself. Are service providers geographically dispersed? Are users automatically configurable? Are service providers of sufficient capacity to meet their sudden growth needs? Can they monitor all user communications to prevent a user from inadvertently refusing a cloud? Service Attacks? What is a service level agreement? Is the provider's financial position stable?