Many IT staff believe that public cloud services are too insecure to secure critical program workloads and data. But the medical information provider Schumacher Group chief information officer Doug Menefee doesn't think so.
"There is a real risk of using cloud services, but everything is risky and we have to weigh the business interests against these risks." "Menefee does, and now 85% of the Schumache group's business data is within the public cloud service.
Menefee does not consider himself a cloud service advocate, saying he is only accepting the form of cloud services and is willing to do cost-benefit and risk analysis.
To be sure, handing important data to the cloud is not a security concern, for example, the company has redesigned its identity management program. "We need to consider how to deploy identity management and security measures between programs in the corporate and cloud services." ”
Speaking from authentication
Indeed, the realignment of identity management is often the starting point for businesses that choose cloud services, and businesses need to consider issues such as authentication, management control, location of data, and people who might access the data, said Charles Kolodgy, the IDC company's vice president for security products research. "These are similar to the usual security considerations for an enterprise, and the difference is that the enterprise no longer holds the underlying setup and is not fully in the background, so it needs to be readjusted to ensure security," he added.
ServiceMesh and symplified two companies provide unified access management products for businesses that need to enhance cloud security. The agility access provided by ServiceMesh is comprised of cloud management, security tools and modules, and service management. The trust cloud provided by Symplified is a unified access management and federation platform based on EC2, which consolidates and protects software and infrastructure cloud services, EC2, and Web 2.0 applications.
Benefits of cloud services
In addition to technical support, the cloud service model brings new ways of thinking for the Schumacher company's operating resources, Menefee said.
"Large cloud service providers have dedicated teams and departments dedicated to protecting the customer's vital information and constantly seeking ways to improve security, monitoring, and intrusion control." As a medium-sized enterprise, we do not have a dedicated department responsible for security. With the help of cloud service providers, corporate Security is more secure, "he says, even if a safety leak occurs, these teams can respond faster than insiders.
Of course, it is perfectly reasonable for the cloud service provider to be required to provide the security that the enterprise needs after handing the enterprise data to the cloud service provider, but "do not ignore the security objectives or requirements of the enterprise because the data is given to the cloud service provider," said Chenxi Wang, analyst at the Forrester Institute.
Cloud service providers may have access to security, and companies must be strict with cloud service providers to perform their security duties under contract, "if the cloud service provider tells you that what you are asking is impossible and you can tell them, let's go to another cloud service provider." ”
Schwan Food Company in the United States used this strategy when planning a virtual disaster recovery architecture, said Cory Miller, senior IT Operations manager, "We told the supplier, ' you must use our tools to extend these tools to your environment '." "You can even make an agreement with a cloud service provider for an enterprise's security tools provider."
Schwan Food Company's virtual firewall to protect its virtual infrastructure comes from Reflex Systems Inc., which works with American computer science companies and SAVVIS companies (cloud service providers) to "ensure the uniformity of security and management when transmitting between private cloud and public cloud".
While Schwan companies are trying to extend cloud services outwards, many cloud vendors are eager to do so, but not all vendors are able to accept Schwan requirements at the actual deployment stage, and technology consolidation is a challenge for these vendors.
"We tell these suppliers that if you can't provide these features or services, we can go to another supplier," Miller said.
Even small companies will be in the long-term. If the enterprise is now building a private cloud and wants to expand to a public cloud service in the future, understanding the security tools that cloud service providers can or cannot support will affect the technology choices of the enterprise. "Companies certainly do not want the private cloud they design and the external public cloud to be so different in their management or encryption programs that they simply cannot appreciate the advantages of cloud services." ”
Strict requirements Cloud service provider
As cloud services mature, vendors are working to develop tools and services that can help businesses expand their requirements.
One of these tools is Adaptivity's blueprint4it, which enables organizations to create IT security diagrams using this it design software, taking into account these factors: access policy, security in transit and static data, Ensure that the data is cloud the hardware and software components required for secure delivery of the service from the internal network.
"Identify the requirements of the enterprise, create the plan, and then hand the plan to the cloud service provider, requiring the vendor to deploy cloud services as required," said Tony Bishop, founder and CEO of Adaptivity. Or the enterprise can try blueprint4it to evaluate the cloud service provider and help the enterprise to score the security architecture maturity.
Willing
When an enterprise chooses a cloud service, it needs to remember that "not every application in the cloud is secure, but at the same time, cloud services are not not going to ensure the security of any program," says John Pescatore, vice president of Gartner.
Even financial institutions, government agencies or other companies that hold highly confidential data, such as payment information or medical information, can find the necessary security in cloud services.
Pescatore says there is another way to use fake data in cloud services, rather than really important data, that "applications can be delivered to cloud services, but important data such as payment information or personal information should be kept in the internal network." ”
Clearly, there are a number of issues to consider when considering a choice to try out a public cloud service. They must consider the risks and benefits synthetically and focus on the data and the necessary controls to make the right choice.