Having been surrounded by hype and enthusiastic promises of improved business performance; “cloud” technology has had a tough time establishing itself as a creditable part of the IT landscape. After a period of uncertainly, cloud has now moved beyond this stage and there is clear evidence, case studies and testimonials that prove the technology has improved IT infrastructure. Industry heavyweights, Gartner included, agree cloud is here to stay.
The wide array of applications for cloud has, however, led to a something fragmented landscape. Everything, from simple data storage to scalable environments for developers deploying test applications, has been impacted by cloud technology. The downside is the fragmented landscape lacks established standards across the industry, and for cloud the most notable issue is security.
Security requirements in the cloud vary greatly from those of on-site infrastructure. Businesses looking to deploy in the cloud or replace existing infrastructure with something that promises to be faster, better, cheaper, or anything else in-between, must take a holistic approach to cloud security.
Control in the cloud
Security requirements will vary for any business. Even the smallest of players will have sensitive data, such as personnel files and financial details, on file that needs to be kept secure. The larger players have more complex compliance issues to think about. Payment Card Industry Data Security Standards (PCI DSS), Sarbanes Oxley and HIPAA are all potential pain points for larger businesses looking at cloud technology.
Responsibly for keeping data safe and secured in the cloud is also not clear cut. The Information Commissioner’s Office (ICO) recently published guidelines that, although not specifically related to cloud security, offer some precedent. A 24 page document attributes the responsibility for data, and data loss, to the business that created it even “after passing it [data] to the cloud network provider”.
It’s only a short leap to assume a business that is responsible for data loss is also accountable for security and regulatory requirements. Data loss could even fall under the umbrella of security, so any cloud provided selected by a business must prove itself a trustworthily partner and supplier.
In this regard, cloud security is not mutually exclusive from the data security practices businesses should have in place today. Protecting access to certain sensitive data and limiting what can be shared to outside infrastructure, such as through virtual desktops, USB storage keys and so on is a staple of IT security. Cloud security should not sit apart from this, but rather be an extension of what is already taking place, albeit a well-considered extension.
A ‘holistic approach’ to cloud security is a sensible course of action for businesses looking to shift some elements of their IT infrastructure to the cloud. This simply means taking the time to fully assess the security requirements of business data heading to the cloud, and ensuring a cloud service provider is capable of meeting these. This may sound obvious, but the importance of security means the issues should be elevated more thoughtfully and thoroughly than an item on a list to tick off.
The CIO or CSO should take ultimately responsibly for deciding which data can be transferred to the cloud, but the decision should be informed by every part of the business. This will ensure the businesses can account for any and all regulatory requirements, keep the right level of control over their data, and gain the benefits of using cloud technology.
Chris Jenkins is line of business manager, security solutions for IT Solutions provider Dimension Data