For the fledgling cloud service sector, the issue of trust is a major issue. While the benefits of outsourcing expensive data storage to managed service providers are obvious to most businesses, lingering security concerns are making many businesses reluctant to move to cloud services.
A survey of 387 participants at the two cloud security workshop hosted by database security provider Greensql found that 80% of respondents were very anxious about security issues, compliance issues, and loss of control that might arise when migrating data to the cloud.
Lack of trust in cloud computing
The GREENSQL survey focused on a major problem: "When you move the database to the cloud, what are your main concerns about security?" "One-third per cent of respondents said they did not believe in the current level of security provided by cloud data storage services, and their rationale was that moving to the cloud meant full trust that service providers would be able to maintain fragmentation across a vast network platform that could be accessed simultaneously by multiple clients.
"If your corporate system is going to be used by another company you don't know, and you don't know what they're using for your hardware, will you put security in second place?" "The painful truth is that, as a cloud customer, most of the time you need to share your hardware and network with others, which means that security must be first," Greensql's chief technology officer, David Maman, laments. ”
The survey found that 22% of respondents were disturbed by the loss of direct control over their sensitive data after a database was placed in a cloud environment, which illustrates the challenges facing cloud storage vendors.
Maman says: "The core of your business is the information you store: Customer data and corporate financial information." Most of the time, this information is stored in the database. If this information is the real currency of your business, then the database is the safe for storing these currencies. Therefore, you must ensure that all possible security measures are used by the cloud service provider. ”
Maman also points out that while cloud service providers manage and monitor your data, it is not just the responsibility of cloud service providers to protect the security of databases in the cloud. Enterprises must adopt a positive attitude, protect sensitive data through monitoring, and establish effective policies and procedures for access control to ensure data security.
"When you install your own database application or use a database as a service (such as Microsoft SQL Azure), you have to control your information, which means that the database firewall is enabled," Maman says. "You have to perform segregation of duties, monitor database activity, and you must also conceal sensitive information." ”
Another problem besetting cloud services is the data backup mechanism and how the information stored in the cloud avoids abuse or loss. Can an enterprise really ensure that data backups are stored on separate tapes or other media devices specifically designated for them?
"Let me answer this question for you, not so," Maman said, "Your backup information will be stored with thousands of other customer data in the vendor's affordable backup media." Of course, you never know who can access this information and when. ”
Suppliers must slowly build trust
Rafal Los, Hewlett-Packard software senior security strategist and renowned cloud security expert, says cloud data storage providers can increase customer trust in their services through ongoing safeguards, such as active security monitoring, regular release of security status reports, and compliance with workable regulations.
"Customers are not asking for an outdated compliance report that shows you patched up on time, or a few months of penetration testing results, and they want to know that your environment is now healthy and safe," says Los. System security is closely linked to system health, both of which must be integrated with the analysis platform, such as the HP Opsanalytics platform, which provides real-time performance telemetry analysis and comprehensive log analysis, allowing users to determine whether there is a real-world inability to detect an attack, or to identify an ' unknown attack '. ”
Security means more than just compliance data, it also means understanding the state of the system as a whole. To increase customer trust, suppliers cannot simply claim that they are safe, they must demonstrate that they understand their dynamic environment, and that they can respond quickly to deviations from the normal mode of operation in order to protect the integrity of the customer's data and its services.
Customer must check cloud service provider
Los recommends that companies moving to cloud environments check all the capabilities of their chosen suppliers and determine whether their suppliers can provide them with real-time or near-real-time security and compliance status. "One of the key factors for customers moving databases into the cloud is that they need not only security awareness, but also that tested security may fail or fail because there is no absolute security," says Los. ”
He advises customers to avoid simply looking for suppliers who can provide "safe" services, and should look for vendors that demonstrate the ability to detect problems effectively, respond quickly to problems, and restore services, after all, as a key element of business functionality. Los said: "Through the system performance telemetry to detect anomalies in a timely manner, comprehensive real-time log analysis and advanced security components, your suppliers in the event of failure or testing, you can quickly find, respond to and restore your services." As a customer, don't just look for suppliers that provide ' safe ', find suppliers who know how to discover, respond to, and restore critical services. ”
(Responsible editor: Schpeppen)