Whether you’re a small, medium or enterprise company using cloud solutions, using secure Infrastructure-as-a-Service (IaaS) is a must. A couple weeks ago I shared some survey data showing you the average security and compliance requirements from professionals in the IT industry. The results of the survey clearly shows that security is a forethought for most businesses, but just like the term “cloud”, “security” can be a bit of a buzz word if not given proper context.
When thinking about security and potentially compliance within an IT environment, there are a lot of important items to consider; some of these can be “offloaded” to your provider, but others are your own undertaking completely. Start by asking yourself the following questions:
- Who is your “customer”? – Is your customer, your end user? Or is it your internal organization? More than likely, it is both. Do these “customers” require different levels of security? If so, what are they?
- What level of security is “acceptable”? – This varies from company to company. Some organizations like healthcare or government must adhere to extremely strict security (and compliance) requirements, while other businesses might have more leeway when it comes to protecting their assets.
- Who in your organization is responsible for security? – Is there a particular team that is tasked with not only determining the security requirements, but also maintaining and auditing those requirements and activities over time?
- Is physical security required? – Do you need to physically audit and control your environment? Remember, while clouds are highly virtualized or abstracted, the providers are physical entities. Does your cloud environment need to be physically isolated from other cloud environments? (If so, you might want to consider a Hosted Private Cloud)
- Does your company have their security best practices carefully documented? – If they do, you should review it with a critical eye to ensure that it reflects changes in technologies.
To the last point above, the most important philosophy for businesses to understand is that security isn’t a destination – it is a process that takes constant iteration and innovation. Regardless what cloud provider you use (or even if you use traditional in-house infrastructure), this mentality is important to maintaining infrastructure security and compliance.
There are two core levels where security is critical:
- Your Cloud (or hosting) provider
- Within your organization
As most hosting or cloud organizations build their business around providing secure services, you would think that this would be a no-brainer. For the most part, it is, provided that you do choose a reputable vendor whose core competency is focused on delivering these services. However, many security failures actually happen because a customer stopped at that point and merely assumed that because they chose a secure provider, that all threats would be neutralized. If you don’t set up security best practices WITHIN those environments, you could be leaving your infrastructure vulnerable. Remember, your security is only as good as the best practices your organization implements.
Assuming that you have implemented these best practices, achieving compliance is much more straight forward. Compliance, as I mentioned, does depend on the vertical and your business and what that industry requires, so there is no clear-cut golden checklist of things you should do that can be boiled down into just a few bullet points. However, doing your research and documenting the process is a great first step.
Even if you have selected a cloud provider with a deep commitment to security, it is also important for businesses to understand what hardware and software components are necessary to protect their data.
In order to help businesses learn about security and compliance in the cloud, GoGrid created a white paper entitled, “Cloud Infrastructure Security and Compliance,” which is a primer for explaining security architecture, data security and role-based user management. If you have any doubts or questions about security in the cloud, this free white paper is a great source of information that can bring more clarity.
Latest posts by Michael Sheehan (see all)
- James Gosling to Speak on Innovation at GoGrid Cloud Meetup on 5/22 - May 16, 2013
- Advertising in the Cloud - May 2, 2013
- How To Enable & Manage the New, Free GoGrid Firewall Service - May 1, 2013