CLOUD INFRASTRUCTURES have the highest security demands, not least of which is assured data protection. The cloud market is not transparent, and companies remain cautious and sceptical of cloud security claims. With the increasing number of cloud providers, and variations in offerings, how can companies make sure that their data is secure and that quality requirements are met?
The four pillars
There are four core pillars of cloud security on which a solid strategic solution should be built1. These pillars must be the primary focus when companies are considering a cloud vendor as a partner. With a myriad of vendors offering catalogues of options for consideration, four key principles should be observed as a starting point for the journey an organisation is to embark on towards secure cloud provision. This paper only scratches the surface of all elements that need to be considered when moving towards a cloud based infrastructure model, but they should provide a good starting point to begin investigation.
1. Security
In terms of data and datacentre security, we are speaking of both physical measures, and logical data control. A provider must take the appropriate physical security measures if they are to convince organisations that they are a trusted and secure vault within which to store their most confidential of information. The most comprehensive technological security is redundant without robust and impenetrable physical measures. Are the datacentres themselves secured from external penetration, with technology halls controlled through complex access methods including card, biometric, and other modern measures? A comprehensive rights and identity management policy is as important as encryption Technologies, such as one-time passwords for accessing sensitive data. Although often not spoken about, in this modern age of cyber-crime where information is power and more often money, physical control can be overlooked in favour of complicated technological encryption. Whilst securing the data is vital, without physical control and limitations on access to the home of the data, everything else is meaningless. Does the provider’s datacentre have twin redundant power feeds with backup generation, and networking connectivity to the outside world across multiple diverse routes? These are some fundamental questions, but essential for true secure and resilient cloud infrastructure. Cloud security must begin with securing the location in which the data is to be stored. Build the vault first before working on the internal lock boxes.
2. Reliability
We are now more than ever a global community, with international business operating twenty-four hours per day, fuelled by a never-ending flow of data traversing the information super-highway. This imperative to be able to work around the clock demands a quick response and the continuous availability of information and data infrastructures as a prerequisite for efficient work. If the ICT infrastructure suffers an outage, this can cost a company dearly. The importance of round-the-clock working brings with it the increased risk of power failure and business continuity, where the mantra of ‘zero outage’ has never been so prevalent.
A high quality of service is promised by all service providers, but attention needs to be paid to the details - Even a guaranteed service level Agreement with 99.95% availability allows the provider a potential downtime of up to 43 hours per year. With a one hour outage at a bank’s data centre estimated to directly cause a loss of up to $2.5 million, now more than ever before in history, time is most definitely money.
To operate within this pressured never-ending business day, a ‘twin-core’ approach is recommended for datacentre strategy, whereby all critical systems and data are mirrored in a second data centre to ensure business continuity. The individual components of the data centre technology on the part of the provider should therefore be consistently based on a zero-defect strategy. This includes diverse network connections to the data centre locations, as well as an encrypted data transfer.
These are only a few basic technical requirements in order to maintain current business operations. The data centre hosting cloud services should also have a comprehensive disaster recovery plan in place, as the failure of a single-source power supply can undermine any technological safe-guards. Even two network cards do not help when a power supply is interrupted.
3. Privacy
Privacy is an essential consideration when contemplating a move to a cloud based architecture model, and the choice of public, private, or hybrid cloud is largely driven by the sense of security required based on the company’s size or specific application requirements. Usually a company will know what their data privacy requirement is, perhaps based upon known industry legislation and regulation that stipulate a pre-determined location for data storage. A good example of this is where there are restrictions on cross-border movement of sensitive information. Sometimes this is not a given, and there may be various factors to take into account in order to decide whether data must remain inside company walls, or can be pushed to a public cloud space.
With technological advancement in cloud brokers and aggregated data storage, the notion of hybrid clouds is becoming a more common topic of discussion. The average company generates a large volume of information each year, much of which will be secure statistical data or private concepts, whilst some will be simple administrative information. It therefore makes sense that one solution does not best fit both scenarios. Cost savings can be made through a pragmatic approach to data storage, limiting the on premise private storage to that which must be kept secure, with more general documentation stored at a cloud provider. Whatever method is selected, data centre, hardware, and software environments will most likely be provided through virtualisation procedures, meaning several companies will receive IT resource from the same computers. It must be ensured at all times that the respective company information is available exclusively, and only, for employees of the company itself. Companies should pay attention to internationally recognized certifications such as ISO 27001 when they consider going to work with a particular service provider.
4. Standardisation
The key to suppliers capability to provide cloud services to the market is standardisation of platform solutions and economies of scale on required resources, whether hardware, software, or manpower. These capabilities are also driven by automation of essential services across a large infrastructure cross-section.
Through this investment in standard methods and automated toolsets, customers can benefit from truly flexible models and dynamic propositions. With continual technological advancement, customers can now benefit from automated purchasing processes for their cloud requirements, and the ability to only pay for what they consume. Through self-service portals organisations can start up servers at 9am, and switch them off at 5pm, incurring a charge for eight hours rather than traditional on-going cost models.
This truly presents a unity of technology and business requirements from a cloud space perspective. Coupled with an implementation period of a few hours rather than a few weeks, standardisation can help organisations to leverage the advancements suppliers are making in the cloud space, and drive down operational costs incurred in the datacentre.
Conclusion
There are many aspects to consider when making the move towards a cloud based hosting model, especially when considering the right partner to work with on the endeavour. Starting with the elements discussed in this paper will allow a solid foundation to be built, upon which further investigation can be performed to ensure the solution eventually employed is the best fit for the organisation.
1. There will be other considerations to be made before a final commitment, but these four pillars can be used to form an initial view of a vendor’s capability.