I am pleased to welcome a guest post from Chris Richter, vice president of security products and services at Savvis, a CenturyLink company.
Despite cloud’s appealing cost model, lots of questions remain on the topic of cloud computing and data center security.
The concern is understandable: Your customers expect secure service, giving little thought to the infrastructure supporting it. Your compliance with various industry and regulatory standards demands security, but many of these rules have not caught up fully with cloud environments. And you’re flooded with options from the market’s many vendors, each with its own approach to security.
Cloud security is complex and requires careful evaluation on a number of fronts. Before even looking at providers, look inward and ask yourself:
- Is cloud even right for you right now? Corporate and ERP systems, for example, may not be ready for the cloud, but SaaS-enabled applications can offer the required functionality of traditional corporate applications. Examine your infrastructure to determine where cloud the makes most sense.
- How is your data classified? Whether your data will be stored, transmitted or processed within cloud will determine your security requirements, deployment model and service provider. It will also help you assess the risks of various cloud scenarios.
- Have you determined your cloud type? The cloud architecture has incredibly important implications for how you securely store, process and transmit your data. If you’re building a Software-as-a-Service application, you may consider an Infrastructure-as-a-Service platform, whereas if you’re testing a new application, you may choose a Platform-as-a-Service model.
- What is your preferred delivery model? Here’s where data classification really demonstrates its value. If you have highly critical data, consider private cloud, understanding it may not be the least expensive choice. Public clouds, on the other hand, tend to offer the greatest cost savings and speed of deployment, but you may NOT have as much say over your security controls. Hybrid clouds are a good choice for enterprises that require the control of a private cloud with the cost savings of a public cloud.
- What is your cloud provider’s approach to security? Most service providers have their own security policies. But the commonality ends there. Understand your provider’s security policies, and ask whether there’s room for augmentation in the form of run-books that specify how specific incidents are handled.
These are basic steps for any first foray into cloud. Once you’ve selected a cloud environment that provides a functional-yet-economical platform with the performance and scaling capabilities you need, you’ll need to drill down to the layers of your platform architecture, security controls and service policy requirements.
No organization should miss out on the cost and efficiency advantages of cloud because they are intimidated by its security configurations. The market is full of opportunities. Find the right one by taking stock of your infrastructure, the options available and your security policies.
As many readers are aware, I was a "cloud curmudgeon" for a very long time, wary of the security risks in the cloud, especially for lawyers. In the wake of blizzards, derechos and Hurricane Sandy, I have become a big fan of the "5 nines" - 99.999% guaranteed uptime at most datacenters for electricity and Internet connectivity. With care, you can find a cloud provider that will negotiate its terms to permit law firms to ethically store client data in the cloud. We did!
E-mail: [email protected] Phone: 703-359-0700