With data being one of the most valuable assets to businesses, when it comes to cloud deployments, companies have to get their security just right. Lost, stolen or inaccessible data in the cloud can lead to lost sales, skewed operations, and potentially large fines levied by data compliance authorities. This HP whitepaper looks at how companies can make sure their cloud deployments are secure and up to the task when data is now supposed to be king.
The cloud brings new security challenges. With cloud services, the entire security ecosystem is no longer under your control and must be extended into the cloud. To cope with the challenge, you must start off with a comprehensive risk understanding and analysis, as well as creating a proper governance and compliance programme that is tailored to the cloud. You must then lay out a high-level security architecture for your cloud-based services.
Knowing the risks
To make a successful move to the cloud, you must evaluate a number of risks and manage them over time. These risks relate to the security of cloud access devices, the security and availability of the cloud platform, and identity and access management for the cloud. Organisations also have to address security and compliance management for the cloud, and the security impact for cloud stakeholders.
Taking a risk-based approach
Firms can not rely on a "one size fits all" scenario. Not all risk scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider, or extensive security controls might be deemed as "over the top" for relatively low value data being moved to cloud-based storage platforms. When it comes to cloud security, firms should take the approach they should pretty much always take when it comes to considering security, and that's a risk-based position to selecting the right security options for their individual cloud service.
What should you put into the cloud?
Companies must identify the assets they are actually moving to the cloud, which can normally be classed in the two areas of either data and applications or processes. The next step is to evaluate the importance of the data/applications and processes to the organisation. Organisations have to identify what the damage would be if data being moved to the cloud became compromised, and what the effect of data downtime would be to company operations.
In addition, firms may need to map out a data flow relating to the cloud deployment service under consideration. They should consider the data flow between their organisation, the cloud service provider, and any customers, partners or other cloud connections. Such a data flow will show how data can move in and out of the cloud, illustrating the security requirements. They must also assess their network for cloud suitability and educate users about safe cloud use.
Choosing a secure cloud provider
After going through these processes, organisations should be clearer about what they are moving into the cloud, their risk tolerance, and which type of cloud provision suits them. With this in front of them, they can then decide on the best security protocols and security systems to be put in place.
Where HP comes into the mix
HP can provide a one-stop shop for all cloud security needs. The HP Cloud Protection Program and Services offering addresses the various areas of cloud security. The HP package of services includes HP ArcSight for unified security information, event management and proactive security monitoring.
There is also HP TippingPoint for intrusion prevention and intrusion detection and HP Fortify for end‑to‑end software and application assurance. And HP has a large team of cloud security consultants to give organisations the extra help they may need in designing and deploying their cloud security requirements. HP experts also work closely with key technology partners such as Microsoft, VMware, Intel and Symantec to offer complementary solutions.
An industry security alliance
As a provider of public, private and hybrid cloud solutions, HP also works with the industry-backed Cloud Security Alliance (CSA) to help re-assure organisations that the cloud systems they are using come up to the mark. The CSA is backed by the likes of HP, Google, Verizon, Intel, McAfee and Microsoft, and sees major cloud providers submit reports to a registry of cloud security controls.
The CSA Security, Trust and Assurance Registry (STAR) is a free and publicly accessible registry that documents the security controls provided by various cloud computing offerings. Consumers of cloud services often require STAR reports as part of their procurement process, so HP can meet that demand.
A developing protection architecture
HP also promotes its Cloud Protection Reference Architecture concept, with innovations tested at HP's Cloud Protection Centre of Excellence (CoE). HP Cloud Protection Reference Architecture enables structured and comprehensive security discussions, designs and implementations with various stakeholders to be developed and delivered, by addressing different business, functional, technical and implementation needs.
The CoE, in collaboration with HP Labs, offers innovative lab environments to test and integrate products that support cloud and virtualisation protection from HP, partners and third parties. Through the innovations coming from HP Labs and the CoE, HP evolves cloud security research in areas such as virtual machine lifecycle management and cloud bursting.
The cloud market is developing quickly, and as a result the required overall security is a fast moving target. But HP is in an ideal position to offer a haven for those companies taking their data security seriously. You can find more information on HP cloud security solutions here.