ToddWeiss

Business Cloud Security: How To Do It and Where To Start

by Todd Weiss (ToddWeiss) on 31-01-2012 10:43 AM - last edited on 31-01-2012 10:45 AM

By Todd R. Weiss

When it comes to business IT professionals looking at cloud computing to evaluate if it can help their companies, the number one concern always seems to be how to deal with data security.

Those concerns are out there every day on LinkedIn.com forums, in data breach stories in the news and in the minds of IT leaders when they talk with their peers, vendors and industry analysts.

Then I read a story last week on Forbes.com, about how a new government report from The National Institute of Standards and Technology (NIST) came up with a list of guidelines and recommendations for government agencies as they look to the cloud. The interesting thing I noticed is that the 80-page NIST report includes plenty of technology discussions about data protection, data isolation and the rest, but more importantly, it's a primer for common sense business planning.

Bill Claybrook photo.jpg   

Bill Claybrook, image courtesy New River Marketing Research

Among the things the NIST report recommends , according to the Forbes story, "7 Tips for Securing Your Cloud, from the Federal Government," are:

1)      Plan your cloud project and make sure you know what you are undertaking before you begin. "As with any emerging information technology area, cloud computing should be approached carefully with due consideration to the sensitivity of data," the NIST report states.

2)      Make sure that your organization understands the delineation of responsibilities over the computing environment and the implications for security and privacy, according to the NIST report. Know what's going to happen before you get there.

3)      Align your company's needs with the offerings from the vendors you are reviewing, the NIST report states. "Public cloud providers’ default offerings generally do not reflect a specific organization's security and privacy needs.  Adjustments to the cloud computing environment may be warranted to meet an organization's requirements."

4)      Tell your cloud provider what you want, then negotiate to get it, even if it's not part of their offerings, the NIST report suggests. "Non-negotiable service agreements in which the terms of service are prescribed completely by the cloud provider are generally the norm in public cloud computing.  However, organizations shouldn't accept terms lying down." By bringing detailed security issues and concerns into the negotiations from the start, a business can bring all matters into the discussions, including data ownership and exit rights, breach notification, isolation of applications from each other in public clouds, data encryption and segregation and more, according to the report.

5)      Carefully evaluate the balance between costs and productivity versus drawbacks in risk and liability when looking at the cloud, the report states. "While the sensitivity of data handled by government organizations and the current state of the art make the likelihood of outsourcing all information technology services to a public cloud low, it should be possible for most government organizations to deploy some of their information technology services to a public cloud, provided that all requisite risk mitigations are taken."

6)      Don't overlook the security issues that can arise simply through the use of Web browsers, browser plug-ins and mobile devices by your users, the NIST report states. "Services from different cloud providers, as well as cloud-based applications developed by the organization, can impose more exacting demands on the client…. The various available plug-ins and extensions for Web browsers are notorious for their security problems. Many browser add-ons also do not provide automatic updates, increasing the persistence of any existing vulnerabilities. Similar problems exist for other types of clients."

7)      Like a sailor in a crow's nest, watch for icebergs that can sink your cloud project, the NIST report states. "Strong management practices are essential for operating and maintaining a secure cloud computing solution…. The organization should collect and analyze available data about the state of the system regularly and as often as needed to manage security and privacy risks, as appropriate for each level of the organization."

Bill Claybrook, principal IT analyst with New River Marketing Research in Carlisle, Mass., said the NIST report is notable because it stresses the kinds of pertinent reviews that should be done on every IT project, but that are often left out.

"Every vendor is working on making clouds and virtual environments more secure over time," Claybrook said. The problem, though, is that when businesses adopt technologies like the cloud, they don't always do it with adequate planning and follow-through, he said.

Back in the 1980's, Claybrook worked for a company doing operating system security for the military. Their mantra was that you couldn't have a secure system unless you designed security in from the start, he said. "After the fact is not a good way of doing it, but a lot of people do it that way. It's the same thing with the cloud."

So what about the ideas laid out in the NIST report and the Forbes story?

"I think these are all good ideas," Claybrook said. "Everybody should do that, but almost nobody does. A lot of people don't understand security in the first place. That's the problem."

Perhaps a lack of basic common sense is part of the problem? That's an interesting perspective, I think.

I'm certainly not minimizing the pitfalls and concerns about public cloud security, believe me, but I can't stop thinking that a healthy dose of true common business sense could go a long way toward solving some of the security worries with the cloud.

Taking any technology off a shelf and inserting it into your business won't solve your business problems. You have to do the hard work, too, to make it work for you.

Could acknowledging our own responsibilities when looking at the cloud help us in our cloud deployment and security plans?

I think it could be an intriguing start.

What do you think?

 Todd R. Weiss is an award-winning technology journalist and freelance writer who worked as a staff reporter for Computerworld.com from 2000 to 2008. Weiss covers enterprise IT from cloud computing to Hadoop to virtualization, enterprise applications such as ERP, CRM and BI, Linux and open source, and more. He spends his spare time working on a book about an unheralded member of the 1957 Milwaukee Braves and watching classic Humphrey Bogart movies. You can follow him on Twitter @TechManTalking. You can contact him at toddrweiss@gmail.com

 

 

Article Options
Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 

The HP Input Output site is sponsored by HP and features articles and content from HP and third-party contributors. Third-party articles and content, while paid for by HP, do not necessarily represent the views and opinions of HP. HP does not endorse this content and is not responsible for its accuracy, availability and quality.

Follow Us
Spotlight
The Permissions Your Database Users Really Need (Video) The 16 Linux Shell Commands Every Desktop Linux User Should Know 7 Deadly Sins of Job Searching: Why You Still Don't Have a Job, and How to Get Back on Track 9 Tech Analogies That No Longer Mean Anything To Those Young Whippersnappers
┼ Based on energy, paper and toner savings from regular printer usage. Results may vary.