I first posted about Cloud Security in a two consecutive postings four years ago here and here. I guess I was pretty optimistic about the future of security in the Cloud. I predicted that a number of cloud service providers would be offering comprehensive Security as a Service offerings providing a consistent cost-effective security solution for companies by 2012. While a number of companies do have offerings in this area, none have yet become a total security solution. Organizations are still responsible for a lot of their own planning and implementation. Solutions from companies like McAfee, CISCO, and Semantic are well worth looking at, but don’t expect to write one check and be done.
In the meantime, every organization is moving to the Cloud, often without knowing it. Every time they have a partner who performs some function for the organization where data is stored or moved outside of the control of your IT department, you are using the Cloud. You do this because it is less expensive and usually something you just don’t want to think about. If you use SalesForce, Google or Microsoft collaborative systems, let your Internet Service Provider handle your email, or use a third party to accept orders and payments, you are in the Cloud.
Over the past few weeks several people from different lines of business have asked me essentially the same question, “What’s different about security in the Cloud?” And they want the answer in less than two minutes.
So here goes.
Your security requirements in the Cloud are identical to those you had before. You still need to protect the same data to the same level. The Cloud can make meeting those requirements more difficult, or even impossible. Or it can make it easier and less expensive.
If you are not secure today, you will not be secure in the Cloud. You need to get secure in your current environment before you consider a move to the Cloud. This means you must have a security policy, and enforce it.
When you move to the Cloud you are adding new partners. Vet them the same way you would vet any other partner in terms of financial stability, reputation, past security problems, support capabilities, and general corporate vision.
You are often adding invisible partners. Your Cloud Service Provider (CSP) may, for example, use a company in Shanghai as their networks operation center. Find out who they use and how they vet and monitor them.
A good CSP will provide better security monitoring and keep your systems they control up to date on OS and attack protection software. Almost always their datacenter is more physically secure then yours is. Take advantage of every security capability they offer. Also consider utilizing their disaster recovery options. Because of their economy of scale, you will probably find a much better recovery environment then you have at a fraction of what it would cost you.
Make sure what your Cloud partners propose matches your security requirements and are consistent with your security policy. Get everything in writing. You may not find a single CSP that will meet all of your requirements for all of your workloads. Most of you will eventually end up with Hybrid Clouds, a mix of several different cloud models from very likely multiple CSPs.
The last word:
You also use the Cloud at home. If you store photos in the Cloud, buy music from iTunes, books from Amazon, pay with PayPal, access your bank and investments from your smart phone you are in the Cloud. Think about what you do where something of yours leaves your control. If that something has value to you, or could impact you if someone else had it, then you need to take the basic precautions.
- Do not go to web sites you do not trust.
- Do not click on a link in an email if you don’t really know who is it from. Check the sending email address to make sure it from the company it claims to represent.
- Never give out passwords to someone in an email or phone call.
- Use a different non-trivial password for each site.
- Monitor often each financial account that you access online.
- Consider an identity protection offering like LifeLock.
You don’t need anything like the same security for accounts that do not have your information. For example, if you have accounts at several news agencies, professional associations, other informational web sites it is fine to use the same user name and password across them.
Keep your sense of humor.