How Secure is that Cloud Vendor? 7 Basics

All cloud computing vendors will tell you how wonderfully secure their services are. As you evaluate those claims, here are 7 key factors to consider.

By David Taber
Wed, January 26, 2011
. What's this?

CIO — Cloud computing security is an incredibly broad (and deep) topic, so I can only scratch the surface in a short article. Even so, let's try to get the basics under control.

Cloud Security: Ten Questions to Ask Before You Jump In
Defining Cloud Security: Six Perspectives

The first order of business is making sure we're talking about the same thing. Some cloud vendors try to blur the lines between security, reliability, and disaster recovery/business continuity. While all these are important attributes, it just confuses the conversation. So let's stick with the standard definitions in this overview.

1. Let's Get Physical
In on-premises systems, Job 1 of security is to make sure that unauthorized people don't get physical access to the machines. If someone can connect foreign hardware, reconfigure the system, or control the system boot cycle, an awful lot of security is out the window. In a cloud-based service, you don't have to worry about this on the server side — that's the vendor's job. While there have been occasional breaches of cloud services over the years, established cloud vendors have pretty tight operations groups — and most of them treat their internal security procedures as highly guarded trade secrets. Which means you won't be able to get much info to evaluate them. With a reputable vendor, it's safe to ignore this issue.

2. Identity Crisis
The next item that must be handled is identity across clouds. The first things to look for are in the area of authentication and authorization: password strength, IP range blacklists/whitelists, login hours, two level authentication...all the stuff you're used to with on-premises systems. Most cloud vendors should have this covered, at least through add-on features or modules.

And of course, there's the too-often-neglected issue of privilege revocation. While this is more a process issue than a systems one, look for features that prompt the administrator (or automatically warn of users who likely need revocation) to make for a tighter ship.

The other side of the coin is making the authorization process less annoying to users: SSO connectors and delegation infrastructure are needed for any practical multi-cloud applications. User account or ID anonymization/obfuscation are particularly important if your applications need to span suppliers or channels in the supply chain.

3. Encryption
Encryption is an obvious requirement for cloud applications, and https is the baseline for all user logins and integration connections. Many cloud applications, however, are not built to have the data encrypted within the cloud. Indeed, in some cases it's not even possible to have the cloud data stored in encrypted form. As this poses risks for customer privacy, corporate snooping, and even Fourth Amendment protections, ask your cloud vendors about internal encryption and push for it in their roadmap presentations.

4. ILP/DLP
As I wrote in an earlier column, information loss protection (aka data leakage prevention) is a critical issue for business applications. Every year, 80 million consumer identities in the U.S. become compromised due to accidental losses and deliberate attacks. Even if you like WikiLeaks, losing control of business information is something to worry about.

In cloud systems, there are two major risk areas for leaks. The first category is a breach within the cloud vendors — something you have little control over (other than vetting vendors). But you can at least demand as part of your cloud vendor SLA that they notify you of any breach that affects your data.

The second category of breach you do have control over: loss at the end-point. This requires add-on software or hardware for each server, PC, and mobile device that presents or processes data from your cloud application. The goal is to make sure that only authorized data transfers occur, and they must be regulated down to the device and file/object level. Further, use of file encryption and auto-erase (upon loss of control of the device) are required, particularly if your organization has a large field force. While general purpose ILP/DLP products are a good start, there are now some startups offering solutions tailored to the specific needs of cloud-based software.

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
Converged Storage: Utility Storage - The Ideal Platform for Virtual and Cloud Computing
Server virtualization has transformed corporate IT -- companies have enjoyed major cost savings and have gained flexibility and efficiency. But this has also led to a proliferation of virtual machines and servers that threaten to overwhelm data movement and storage technologies. In this IDG Tech Dossier, learn how utility storage makes for massive consolidation, flexibility and scalability, so IT departments can reduce storage infrastructure and lower costs while improving their ability to respond to fast-changing needs of business units.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
The Best Way to Build a Cloud -- HP CloudSystem Matrix and HP 3PAR Utility Storage provide solid, flexible foundation
Learn how HP CloudSystem Matrix and HP 3PAR Utility Storage provide a solid, flexible foundation for your cloud environment.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Finding the right cloud solutions for your organization
HP is driving the evolution of what we call the Instant-On Enterprise. It is an enterprise that embeds technology into everything it does to better serve citizens, partners, employees, and clients. We believe that today's Instant-On Enterprises need to think differently about how they source and deliver services that are enabled by technology. They need to take advantage of a hybrid delivery model-one that truly optimizes the mix between traditional IT, private cloud, and public cloud.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution
This white paper describes the major requirements for network management solutions to help the organizations become more profitable, efficient and reliable.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
Building Cloud-Optimized Data Center Networks white paper
Enterprises are turning to the Cloud to improve business agility, reduce expenses and accelerate business innovation. Cloud computing redefines the way IT assets are deployed and consumed and dramatically affects the way data center networks are architected and managed. Conventional hierarchical data center networks built to support traditional IT architectures can't meet the security, agility and price/performance requirements of virtualized cloud computing environments. This white paper reviews the impact of cloud computing on data center networks and describes HP's approach to building simpler, more secure and automated networks that fully meet the stringent performance, security, reliability and agility demands of the new data center in the Cloud.

Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.
AlertBoot Case Study
When AlertBoot switched to the cloud it needed a load balancing solution that would support its migration and prevent as much downtime as possible. The company chose Riverbed® Stingray™ Traffic Manager to use while transitioning its infrastructure to an entirely virtualized environment. The move was a complete success, at one-third the cost of comparable hardware solutions.
Webcasts »
Virtualizing More While Improving Your Risk Posture - Industry Leaders Offer Definitive Choice to Cloud Security
Second in a three-part series discussing the "4 Must Haves" in virtualization security designed to help large organizations understand the challenges of securing virtualized environments while positioning themselves to take advantage of future IT and business opportunities.

Gain insights into next generation, virtualization-optimized solutions to help you drive:

+ Faster time-to-value from your security initiatives
+ Provide corporate with visibility and enable a state of continuous compliance
+ Reduce risk via automated configuration and policy-based access and enforcement engine
Unlock the Value of Cloud Computing with Workload Automation
Learn how to get the most from your cloud investment in our on-demand webinar from BMC and InformationWeek. You'll hear how integrating the cloud into your production workload brings critical business benefits.
Supply Chain Radio: EDI hubs (Send v. Post)
Supply chains require the ability to connect and share information with vendors and partners globally. EDI networks have made this connection possible by allowing various entities to upload information for others to see.
Cloud-based Contact Center: Is it Right for Your Business?
View this on demand webcast to learn if moving business communications to the cloud is right for your business. Featured industry experts DMG Consulting LLC president, Donna Fluss, Frost & Sullivan principal analyst, Michael DeSalles, and Interactive Intelligence senior vice president, Joe Staples discuss this topic and help you answer your pressing questions at the conclusion of this web event.
Capacity Management As You Know It Is Dead: How to Optimize Infrastructure Planning and Gain Control in Large-Scale Virtual & Cloud
Capacity management may not be dead yet, but with the adoption of private clouds it's barely recognizable. Join Andrew Hillier as he outlines best practices for gaining control over dynamic capacity supply and workload demand in large scale virtual and cloud infrastructure. Hear how leading Fortune 500 organizations increased agility, reduced risk and costs by optimizing infrastructure planning and management processes.
Must have Tools and Techniques to Optimize the Sales Pipeline and Win more Deals
In this webcast, Vantage Point Performance's Michelle Vazzana will reveal how to coach your reps to better performing pipelines.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Converged Storage: Utility Storage - The Ideal Platform for Virtual and Cloud Computing

The Best Way to Build a Cloud -- HP CloudSystem Matrix and HP 3PAR Utility Storage provide solid, flexible foundation

Finding the right cloud solutions for your organization

Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution

Building Cloud-Optimized Data Center Networks white paper

AlertBoot Case Study

Meridina fly Case Study

Gilt Groupe Case Study

Comic Relief Case Study

See Tickets Case Study

Riverbed Stingray Traffic Manager VA Performance on vSphere 4

Traffic Management vSphere Benchmarks on Cisco

IDG Tech Dossier: Converged Storage ~ Utility Storage: The Ideal Platform for Virtual and Cloud Computing

IDC White Paper: Delivering an Integrated Infrastructure for the Cloud

Security Strategies to Virtualizing Internet-Facing Applications

Cloud Security Vendor Round Table

Cloud Security Planning Guide

Cloud Security Insights for IT Strategic Planning

Planning Guide - Technology for Tomorrow's Cloud

Creating Community Within Your Business Partner Network
Sponsored Links

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

Click to see how Accenture has delivered high performance to clients

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

High performance. Delivered. Click to see Accenture's client successes

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords