The cloud service industry has enjoyed rapid growth and relatively few issues involving data breach attempts or loss of data. Eventually, cybersecurity hackers will develop formidable tools to break into lucrative repositories and feast on financial information or intellectual property. Most likely, initial methods employed will be suspiciously similar to current methods such as social engineering to steal credentials.
The best solution to this threat is multifactor authentication. Costs are greater but protection afforded is genuinely better and provides a first line of defense against intrusion. Individual security tokens with PIN, along with traditional userid/password combination, is a wise implementation for any size group.
Combining the secure authentication model with full data encryption (in-flight and at rest) starts you down the path for resilient security demonstrably more reliable than other more passive methods. Yes, it will cost more to implement. Data encrypted at rest requires decryption during application access, and this is a major concern, but it can be done. IBM System z environments provide this capability natively, using hardware acceleration to maintain application performance, making this platform a perfect candidate for cloud implementations.
By implementing these two controls, even a data breach can be less stressful with the knowledge that data decryption will be impractical for most thieves.
Stop the Abuse
All clouds are not created equal; that is a given. If you develop your own private cloud, it may provide all features you desire and give you complete control, but not automatically or without planning. Many organizations believe that if they have complete control over the cloud, as with their own private cloud implementation, they will have less to worry about. If you don’t build security into your cloud design, then you have achieved nothing of value. The recommendations do not change; use multifactor authentication and encrypt all data at all times. This security mantra must be accepted because it works; it is simple, straightforward and secure.
Cloud management from the customer perspective must include all elements of a traditional data center:
• Operational control such as monitoring, logging, failure analysis and periodic review
• Content control to implement a security model over assets (applications and data)
• Recovery control to plan for disasters
• Administration control to manage access control for users and applications.
Above all, create a strong management team that takes control of the cloud to unite all users, departments and functional business units that use the enterprise cloud. Failing to exert influence and control sets up the organization for a failure. Do not fall into the complacency trap; do not blindly accept assurances from the cloud provider regarding protection of your data or services provided. Actively be part of the solution and not a passive observer from the sidelines. After all, this is your system, your assets and yours to screw up.
I find it humorous that after all these years we are talking about cloud computing as a new technology or a capability just invented. For years, many of us have been using mature virtualization found within z/VM (or VM/ESA, VM/SP, etc.) to bring many of these “new” cloud features to organizations we supported. At one point, it was called distributed processing or decentralized processing; now, the moniker is “the cloud.” Elements comprising this type of operation are familiar to the VM community and I suspect that many successful implementations of corporate clouds are thanks in part to old VM graybeards leading the project. The world would be more secure if z/VM was used everywhere.
Regardless of whence you came or where you are going, the same generally accepted business practices and procedures that we have followed for years must continue to be implemented as we move forward. It should not be assumed to be automatic. Security is not inherently automatic. We must manage projects and systems the same whether using an outsourced cloud, a self-supported cloud or a traditional data center. Nothing changes.