Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

4 essential cloud security tips

But before making the leap to public cloud, consider these pieces of advice from those that have already jumped

More and more enterprise IT shops - as they get comfortable with virtualization practices in their own private clouds - are considering a jump to the public cloud. But before making that leap, consider these pieces of advice from those that have already jumped.

1. Make sure your provider has VM-specific security

"Hypervisors were never really designed to be running in a public environment," says Beth Cohen, senior cloud architect for Cloud Technology Partners, a consultancy.

That fact doesn't necessarily stop them from being secure, Cohen says. But it does require a more elastic security strategy that can deal with the issues of virtual machines (VM) moving around the underlying infrastructure, interacting with cloud applications, and supporting multiple tenants.

Customers going into the public cloud need to understand that perimeter security - while it still needs to be in place in any virtual data center environment - isn't going to help with the internal security of virtual machines, says Michael Berman, CTO of Catbird Networks, a vendor that focuses on virtual machine security.

Both Cohen and Berman have pointed potential cloud consumers to VMware's vShield, which is both a product that offers integrated security services to the underlying VMware hypervisor and a set of APIs that allow third-party security vendors to build security services on top VMware's platform.

VMware's Dean Coza, director of product management for security products, points out that a dozen security vendors announced products that tap into vShield to deliver virtual machine security products at last month's VMworld conference.

But VMware is only one of the virtualization software vendors out there and the company has said very little about how these tools will help lock down other popular VMs from Microsoft and Citrix.

Experts describe the top cloud security concern

2. Figure out a way to lockdown endpoints

Predictions for mobile device sales are staggering. Forrester says tablet sales will hit 208 million by 2014. Gartner contends that 1.1 billion smartphones will be sold in 2015. Enterprises moving to the cloud must brace themselves for many more of these consumer-type devices trying to get to corporate data and applications in the cloud.

"The BYOD [bring your own device] to work issue is huge because now you have devices you don't own trying to access your data over networks that you don't control," says Tom Clare, senior director of product marketing at Websense, a content security vendor.

Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy in western Massachusetts, says one way to help limit the number of users wanting to run personal devices on the corporate network is to set up policy roadblocks.

These include limiting what they can do on the machine while attached to the network, requiring them to pay for mobile malware protections and confiscating the device if there is a security issue.

But there are legitimate circumstances for giving upper management controlled access through the cloud. Braun's company uses products such as Kaseya's mobile device management module, which is part of the vendors overall IT System Management platform, to gain that kind of control.

Joe Coyle, CTO for Capgemini Consulting, contends that in order to effectively support mobile devices you must make sure your provider's ID management scheme jibes with your internal one.

"They are coming in from everywhere, so if you lock them into their set roles through consistent ID management, then you have a decent shot at making sure they are not getting to data they - or their machines -- don't have rights to," Coyle says.

3. Push your cloud provider to put security in your SLA

Standard cloud service provider service-level agreements (SLA) barely touch on security, so it's a buyer beware kind of situation.

"Make sure your provider is willing to move well beyond simple monitoring of your service usage," says Torsten George, vice president, worldwide marketing at Agiliance, a security vendor that offers governance, risk and compliance services.

Customers have a right to push for insight into a provider's compliance posture, its overall security posture and how it stacks up against benchmarks for best security practices.

"Absolutely push for a custom security SLA," says Jeremy Crawford, CTO of MLSListings, a Silicon Valley-based regional Multiple Listing Service (MLS) that supports over 5,000 brokerages and 18,000 subscribers. Crawford has negotiated security focused SLAs with three public cloud providers. He takes a look at the providers' standard security agreement, but only consents to about 50% of the language in most cases. He pushes for more favorable language relating to visibility into the providers' systems and sets up specific terms about shared liability should there be a breach.

"You've got to have teeth in the contract or you'll have no legs to stand on if there is a data leak," Crawford says.

4. Act quickly

Richard Rees, manager of EMC's virtual cloud consulting services, says enterprises should move quickly on an overall strategic plan for pushing their business process out to the public cloud in a controlled fashion. By doing so, you avoid rogue pockets of public cloud within the companies.

"I am always surprised by how quickly departmental pilot projects morph into business critical applications," Rees says. Due to the relatively low cost of entry into most public cloud applications, the likelihood that they are being used without IT's knowledge is pretty high.

Read more about cloud computing in Network World's Cloud Computing section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Catbird, Citrix, EMC, Gartner, Kaseya, Microsoft, Technology, VMware, Websense
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: cloud computing, internet, security
Latest Blog Posts
Whitepapers
  • Oracle x86 Rack Servers Optimized for Rapid Deployments and Operational Efficiency
    Business-critical and mission-critical workloads — demanding applications and databases — require stable and secure environments. When these types of workloads are deployed on x86 servers, the need to ensure business continuity, maximum uptime, and consistent processing means that IT managers and business unit managers are looking at enterprise x86 servers in a new way: They realize that the business depends on these servers and that x86 server platforms for the enterprise are no longer expendable, as they might have been when servers were dedicated to a single application — or when they were deployed as small Web servers that could be easily taken offline and replaced.
    Learn more »
  • Case Study: HJ Heinz
    Heinz has trusted Sophos to protect its desktop users and email systems from malware and spam for many years. As part of its multi-tier approach to IT security, the company needed more robust protection against web-based threats and the use of unauthorised applications.
    Learn more »
  • Securing SOA and Web Services with Oracle Enterprise Gateway
    Companies worldwide are actively deploying service-oriented architecture (SOA) infrastructures using web services, both in intranet and extranet environments. While web services offer many advantages over traditional alternatives (e.g., distributed objects or custom software), deploying networks of interconnected web services still presents key challenges, especially in terms of security and management.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments