Many in the business and academic communities have been

up in arms that security risks are too high in cloud

implementations, and therefore the status quo is better for

sensitive government and commercial environments. Many of those

same individuals and organizations are pursuing research grants

to come up with new and revolutionary ways to meet this "menacing

challenge." Others joining the chorus have significant investment

and long-term contracts to exploit and continue to profit from

the status quo. In reality, the issues - when viewed clearly -

are the same for a cloud-hosted environment or any well-managed

bespoke data center. Let's delve into the fundamentals that we

have known for decades to address the security

questions about cloud deployments;l they are the

fundamental technical solutions we often ignore or forget in our

rush to pursue the "latest and greatest."

Let's begin by asking: "What do you know

about your cloud provider?" What certifications,

evaluations and practices define them? From Amazon Web Services

(which has nearly every certification from PCI and FIPS and FISMA

to FedRAMP) to your favorite legacy systems integrator, (who has

some subset of the measures of trustworthiness) you need to know

why they are adequate and appropriate to your information and

mission. While the mentioned certifications are mostly for

targeted environments, they are very significant to how much you

as an end-customer can trust their environment and

processes.

When

cloud became a rallying cry for efficiency in

enterprise and government, every legacy systems

integrator and outsource host suddenly redefined themselves as

cloud providers. This isn't necessarily a bad thing, but you

should understand how your cloud partner thinks, acts and most

importantly, how it accepts accountability for your

information.

The level of assurance you need

is tied to the sensitivity and value of the

information your applications or their cloud

applications are processing on your behalf. If you are moving

your marketing information and related processing to their cloud,

you only need to understand the availability, accessibility and

integrity measures your partner is providing. As long as they

deliver your information against a reasonable service level

agreement and assure you that the information delivered is

unaltered, that's all that you need from them. You

don't need to know about their ownership, employees,

certifications and detailed security practices. You don't care

who sees the information because its purpose is to be seen. You

just want to ensure that as many people as possible have access

to it.

When you process sensitive information

on your friendly cloud partner, you need to know who they are,

who owns or influences them, who their employees are and that you

can trust them as much as your own employees. You also need a

clear understanding of their physical and technical security

investments, as well as how often they test and evaluate all of

the above. Processing your, trade secrets, and proprietary,

financial or classified information requires a whole other level

of knowledge, but does not necessarily exclude any selected

partner as long as they are trustworthy enough. Trustworthiness

at this level can mean background investigations on not only

employees with access to your information, but for executives and

influencers like board members or significant investors. Beyond

knowing who runs your cloud, a lot

of technical issues impact their level of trustworthiness. Stay

tuned for more discussions about physical protections and their

limitations.

No related posts.