Unicon is publishing an article on ways of approaching decision-making about adopting cloud and/or managed services. The article will be broken down into segments. The segments will cover elements including: strategic, financial, architecture, security, process, and people.
We continue the series this week by publishing the security segment of the article.
The Security Element
As with any environment, security is a complex landscape and most often a question of acceptable risk profile or tolerance. The considerations are similar as for any hosting environment - physical security of the provider's facilities, network and compute infrastructure security, data security, application security, and security operations and processes. While there are examples of deploying applications to public clouds with stringent physical, network, and data security requirements (e.g. to meet HIPPA or PCI DSS compliance), it can be challenging to determine if the cloud provider's implementations meet risk tolerances for secure computing requirements. While SAS 70 Type II audits are good, they are still limited to an inspection of the IT controls that the provider claims to practice. One needs to do the homework into the controls that are claimed to determine if they meet an organization's particular needs.
It is also necessary to delve into the particulars of the applications and data that are under consideration for cloud migration. Ideally, the organization's IT security policy, including data classifications and security requirements, can be used as a guideline to inform the cloud migration decision. Applications serving or handling only publicly available data (e.g. public web presence, course catalog) may be more amenable to early cloud migration than those containing sensitive (data loss/compromise will cause limited damage) and/or restricted (data loss/compromise will cause substantial damage) classes of data. The characteristics of the application should also be recognized.
Questions to consider:
- Is this a legacy application with vulnerabilities that cannot be patched and therefore require unique protections?
- Are security vulnerabilities discovered frequently for the application?
- Are any of the applications or the organization/institution the targets of cyber-attacks such as DoS/DDoS, targeted or brute force attacks?
Repelling DDoS is an expensive proposition for anyone, but the "shared investment" of a large public cloud infrastructure can be an additional tool in the battles against cyber-attacks. Other application security characteristics may make public cloud deployment difficult. In some cases, even though a case can be made that a public cloud environment can be made secure enough, cloud just does not fit the risk tolerance of the organization and either traditional operations, private cloud, or managed services with full transparency into the environment and processes does fit the tolerance.
Every week for the next two weeks Unicon will publish another segment of this article. Please check back for the next segment, which will cover the process element.