Security for Large-Company Cloud Providers

I'm a CIO or CSO of a corporation that has yearly revenues of $1 billion or more. What are the security concerns that I have before I'm willing to deploy my IT infrastructure into a cloud? Let's flesh out the following security issues: What belongs in the cloud? How should sensitive data be protected? How are encryption upgrades addressed? How do I limit access to sensitive data? And how will critical systems metadata (data describing data) be tracked?

By Gregory Machler
Tue, November 23, 2010

CSO — I'm a CIO or CSO of a corporation that has yearly revenues of $1 billion or more. What are the security concerns that I have before I'm willing to deploy my IT infrastructure into a cloud? Let's flesh out the following security issues: What belongs in the cloud? How should sensitive data be protected? How are encryption upgrades addressed? How do I limit access to sensitive data? And how will critical systems metadata (data describing data) be tracked?

See also: Cloud security: The basics

Let's assume that each corporation has a variety of firewall segments and corresponding network equipment within the cloud-computing vendor's cloud. Each segment will have a variety of applications it supports. Because other companies may be in the same cloud, they may share the same firewall segment and network components, the same database, virtualized operating system, and virtualized storage. (Related: Small clouds: Security selection criteria)

Cloud Security: Ten Questions to Ask Before You Jump In
Defining Cloud Security: Six Perspectives

First, let's look at some realistic security constraints about the cloud vendor. It may be difficult to deploy all a corporation's infrastructure within the cloud because of a lack of standardization within the businesses' current IT applications. For example, one of the clients I worked for had a mainframe solution that was integrated with a web service. The web service interfaced with a POS (point of sale) system and communicated with the mainframe using a proprietary port over TCP/IP. The mainframe received and stored sensitive credit information. For this solution, all of the POS solution, web service, and TCP/IP communication could be put in the cloud. But, the mainframe's application, proprietary storage infrastructure, and encryption techniques make it hard to put it into the cloud. The mainframe application could be potentially ported but would likely require a difficult rewrite. It would not be wise to do this without performing a ROI (return on investment) review.

A second concern is access to sensitive data. How is sensitive data stored in the cloud? SAN (storage area network) subsystems stripe data over many drives in the storage array. Do I want to stripe encrypted data over the entire array of disks? My concern is that corruption in a database, file system, or a disk or solid state drive may spread to other applications sharing data (virtualized) within the same subsystem. So I want a method to isolate the encrypted data in the database, file system, or on disk. The bounding of data will limit the effects if corruption occurs.

Continue Reading

Originally published on www.csoonline.com. Click here to read the original story.
Our Commenting Policies