User Experience
As security gaps in cloud computing become more visible, users are looking for ways to secure data. New York investment Bank Financial Services Cowen company CIO Daniel Flax relies on cloud computing to automate the company's sales campaign. Although he is satisfied with the potential of cloud computing to lower upfront costs, reduce downtime and support additional services, he admits he must work to understand the security weaknesses of this emerging technology. "Security is one of the challenges we have to face directly," he said. ”
Evan Jones, owner and it director of Stitch Media, an interactive production company based in Toronto and Nova Scotia Prov. Halifax, is also worried about cloud computing security. "When you give important corporate data to a third party, you're scared," he said. ”
Like more and more IT managers, flax and Jones are beginning to realise that cloud computing does not provide a free shuttle to the company in terms of security. A Gartner report published last year identified concerns about security risks in several areas, such as data privacy and integrity and compliance management, which should slow down those who consider rushing into the cloud.
Gartner analyst Jay Heiser warns: "Businesses, especially those in regulatory industries, must weigh the business benefits and risks of cloud computing services." ”
One of the biggest risks of cloud computing comes from its nature: it allows data to be transmitted and kept in almost any place-even in different parts of the world. While data dissemination helps make cloud computing a cost and performance advantage, the downside is that corporate information can be stored in a storage system that is placed in a location where privacy laws are slack or non-existent.
Flax uses the salesforce.com company's force.com platform to automate the Cowen global sales system. He says the best way to ensure that data is avoided at risk is to work with a company that is a public firm, because it is a public company, so the law requires the vendor to disclose how it manages information.
Flax said Salesforce.com is a listed company, "So we are reassured by the strict processes and regulations that govern their data centers." "We know our data in the United States, we have reports about the data centers we're talking about," he said. ”
Agora games of New York State Troy City is a company that builds a web community for video gamers. The company Terremark CSM, its cloud provider, to place its data and applications in the main. But Agora's chief technology officer Brian Corrigan said the situation would soon change.
He said Terremark will soon provide Agora with "the choice of where virtual machines actually run." At present, the only option is Miami facilities, but Terremark will add other locations, so this will be a problem we can control. ”
Follow closely
The nature of cloud computing also makes it challenging to track unauthorized activity, even when careful logging procedures are used. Almost all cloud providers use cryptographic techniques, such as Secure Sockets Layer technology, to protect data in transit. But Heiser points out that it is also important to ensure that stored data is encrypted. "If the data is stored in a shared environment (which is common), you can assume that unencrypted data may be read by unauthorized people," he said. ”
Indian Harvest Specialtifoods is a company that delivers rice, grains and beans to restaurants around the world in Bemidji, Minnesota. Mike Mullin, the company's IT director, says he relies on the provider NetSuite company to ensure that the data he sends to the cloud is fully protected. "Because of the use of SSL, I am very confident that our data is safe," he said. If that's not the case, I think a lot of people will have problems and the entire cloud computing industry will be having problems. ”
Mullin points out that cloud users must also carefully assess their own infrastructure and security practices, especially access control. "Your infrastructure is as weak as the provider's infrastructure," he said. ”
Jones, who uses Amazon.com's S3 cloud platform to share files with entire global employees and contractors, believes access control is critical. He said: "We found that when we assign different levels, the system can best meet us." "The most sensitive documents are not delivered to the cloud at all; they are saved locally." Jones said: "There are some documents we are not going to send to the cloud, but I would say that 95% of documents do not belong to this level." ”
Corrigan says comprehensive cloud computing security requires a holistic approach to implementation. "To get super safe data, start with how to save them, and then solve how to transfer them," he advises. Manage access through a two-factor authentication scheme. If you are really worried, you can keep your own authentication server inside the company-which will guarantee you control. ”
Compliance issues
Because Cloud delivers business data to external providers, it makes compliance more risky than the system keeps within the company. The loss of direct regulation means that the client company must verify that the service provider strives to ensure that data security and integrity are robust and reliable.
Heiser that any cloud provider should voluntarily conduct external audits and security certifications to ensure the quality of specific controls. "The reluctance to co-operate is a warning sign," he said. ”
Flax, a strictly regulated financial services industry, relies on SAS 70 audits to ensure that his cloud computing provider meets government and industry requirements. "There is now a requirement for the SAS 70 audit in the data center," he said. The SAS 70 audit, developed by the American Certified Public Accountants Association, involves data transmission and preservation techniques and practices, including network operations, data protection, and physical security elements.
"We have read these auditing standards very carefully because, like the ledger of an individual, just because the audit is comprehensive does not mean they are fully compliant," Flax said. ”
In general, the fact that IT managers are increasingly aware of the security vulnerabilities of cloud computing and controlling them suggests that the adoption of this emerging technology is being viewed realistically rather than through tinted glasses.
Safe Cloud computing Five steps away
Understand how loosely structured cloud-specific structures affect the security of data that is delivered to it.
Ensure that the cloud provider provides detailed information about its security architecture and is willing to accept security audits.
Ensure that internal security technologies and practices, such as network firewalls and user access control, are well suited to cloud security measures.
Understand how laws and regulations affect the data that is sent to the cloud.
Focus on changes in cloud technology and practices that may affect data security.