The Down and Dirty of Cloud Security
Continuing with our series on the cloud, we venture into the vast universe of cloud security. For some this might be an intimidating topic to take on, what with the media bombarding us daily with stories of security breaches, hacking, spying and viruses. But I think there are some important things about cloud security that the public needs to know.
I think we can all agree that security is not only important, it is expected to be an integral part of any cloud solution. You don’t see cloud providers offering cloud services with security as an option. They don’t ask you if you want your cloud “with or without security included” because it is a foundational element we all must have to feel comfortable using the cloud.
Complex Cloud Security Simplified
Cloud security has many layers, forms and levels. The two most basic forms are physical security and logical security. There are also multiple layers that provide additional protection, and multiple levels that provide the ability to customize the amount of security based on your needs.
Your cloud provider should provide this security at a minimum:
- Physical security in a protected datacenter requiring card access to enter the building
- Security check-in once in the building, documenting the name, personal ID and date/time of the person entering
- Physical security to enter the datacenter floor (where all the computers are located) using biometric recognition and/or key-card access specific to the individual accessing the space
- Once on the computer floor, the physical computers should be in locked cabinets
- In cases requiring high regulatory compliance, the locked cabinets should be contained in a “cage,” which is a physical fence with sides, top and bottom surrounding the computer cabinets, with the cage requiring additional card key access
- Firewalls within the computer cabinets to provide intrusion protection, anti-virus, etc.
- Network separation, both physical and logical, to separate your systems from all others
- Additional logical separation within the cloud environment to protect your systems and data
- Login IDs and passwords for authorized administrators only to access systems
- Login IDs and passwords for authorized administrators only to access specific software within the systems
This is only a basic short list, but you get the idea. Cloud security is in multiple forms, layers and levels, each providing additional protection for your systems and your data.
What Home Security and the Cloud Have in Common
To simplify cloud security even further, let’s compare it to an example most of us can relate to – security in your home. In the physical form, you may have a security system installed with sensors in each window and door, and motion detectors in each room. Once installed, you have the ability to customize how each sensor works, which doors and windows should be on or off, and you have a passcode to turn the system on and off. You determine who has the passcode.
You have a second layer of physical security using locks on your front and back door. This provides an extra level of security beyond the electronic security system. Inside the house you have another level of security with locks on each door and potentially locks on cabinets, desks, safes, gun cabinets, etc., all providing more specific security based on what you are trying to protect. You are able to define and customize who is able to access what based on the security level required. Mom and Dad have access to everything, but the kids cannot access the liquor cabinet or the safe. The babysitter only has a house key, but not the passcode to the alarm system or any of the interior doors. The yard guy has access to the garage door code, but nothing else in the home.
You then add the logical security level with passwords for all of the technology in the house. Each computer has its own password, and many times will have multiple passwords based on who’s accessing it – mom, dad, child 1, child 2. You even have passwords on televisions, movies on demand, Xbox, etc. Each security measure is customized based on who should have access and to what level. Johnny is 13 and can watch movies, but he is not authorized to purchase a movie on demand. Suzie is 18 and can watch movies and has her own password to download movies on demand. You get the picture (pun intended).
As you can see, even in the home, security can get pretty detailed and complicated based on the levels and layers you want to deploy.
If we carry this idea into the world of the cloud, we have the same layers, forms and levels, just on a mega scale and with mind-numbing complexity.
We often hear companies state that they feel more comfortable having systems in their office because “they are more secure than the cloud.” Really? How so? Is it because they are in a locked closet down the hall and you know where they are? Considering the multiple forms, levels and layers of security a cloud provider operates with, this is not really a compelling case for not moving systems into the cloud.
Safer in your office, or in a data center?
Technology security for an office environment would include technical equipment locked in a closet with the potential for additional key-card access (physical), a firewall to filter all the bad stuff out (logical) and passwords to gain access to the various systems (logical). The company may even lock user desktop computers to the desk (physical). The building may have additional security with key-card access required after hours, security guards and security cameras. There would also be a list of authorized users that can act as administrators for computer systems. In a truly secure office, administrator access would be very closely monitored and held by two or three people. Unfortunately, we often find that all users have access to administrator login and password information, which effectively destroys all the other security layers in place.
In the cloud, there are the same types of security – just on steroids. Cloud security not only has to include physical and logical security of all the systems and software, it must include additional security to ensure customers cannot access or “see” other customers’ information. Since cloud services include multiple customers or ‘tenants’ in the same environment, this separation and security is critical. Every cloud provider should provide this as a basic aspect of their service.
Not only would any company want assurance their data is safe from others, many companies have business regulatory requirements to ensure their data is isolated and secure. Health-related data with HIPAA, financial data with SEC, credit card data with PCI, to name a few. In addition, some regulatory statutes require company data NOT be on shared storage.
Sometimes You Share the Pool – Sometimes You Don’t
Often the cloud environment is a giant “pool” of computing and storage resources. The cloud provider allocates the amount of processing and storage according to the needs of the customer. These resources can then easily be increased over time, as needed, by taking more out of the pool of available resources.
The obvious benefit to sharing the cloud resource pool is the customer only has to pay for what they truly need when they need it, which drives costs down for the company (typical savings are 20-25% when compared to owning the systems). When in a pool of resources, often the data is contained in a mass amount of storage space – not gigabytes or terabytes, but petabytes of storage available. Your company data is logically segregated from other companies’ data and is accessible only by your users. The security is logical, but very sound and will meet any security requirement, except for physical separation. It is far more efficient for the cloud provider to deploy this way because it is easier to manage and more cost effective.
If your company requires data to not be on shared storage, this means the cloud provider must physically separate your data from the data of all the other customers. This can be easily done by the cloud provider implementing separate storage and dedicating that storage to only your company. However, if you do indeed need your data separated, you must find out if that dedicated storage is as redundant as all other cloud services are. There should be, in essence, duplicate storage to provide failover should one of the storage devices fail. If your storage is separate and dedicated but not redundant, your cloud service would go down if that storage were to fail.
Security is NOT Your Concern
The great news about the cloud is you don’t have to worry about the cost, complexity and management of security. This is precisely what you have hired your cloud provider to do for you. If you are ever in doubt, or you’re a closet geek wanting to know more, just ask your cloud provider to tell you what they do to keep your systems and data safe and secure. They should be more than willing to share and even brag about it. We sure do.
>> Part 2, We Asked Fluid’s Team, What is the Cloud?