For businesses large and small, the prospect of hosting applications and data in a public cloud holds a certain appeal. Why spend money on on-premises infrastructure, goes the logic, when you can access the same types of services via the browser? Why wrestle with setting up a private cloud when a major vendor can take care of the necessary logistics?
That’s not to say that on-premises solutions are hopelessly outdated—the sheer size of some organizations’ database and business-intelligence operations, for instance, demand infrastructure that would make the Empire jealous. But for enterprise departments looking to host their operations in the cloud, or smaller firms wanting apps and hosting on a budget, a public cloud can prove a viable solution.
All that being said, anyone making the jump to the public cloud needs to take security into consideration, and take into account the following factors:
1. Data Residency
“There are a lot of regulations depending on which country you’re in, and many of those regulations are conflicting,” Marcus Carey, Enterprise Security Community Manager for Rapid7, said in an interview. “You need to know where the data’s being stored and what the regulations are.”
Thanks to the Patriot Act, for example, U.S. vendors may feel compelled to comply with government requests for data stored on their cloud servers—a policy that could conflict with the strict data-disclosure policies that bind companies operating out of the European Union.
2. Data Encryption
Data encryption on public clouds is a must. “SaaS solutions and data need to be encrypted,” Carey added. “You don’t know where it’s going to be residing.”
Companies should also question the procedures underlying a cloud vendor’s security-monitoring policies. “Somebody still must do it,” Anton Chuvakin, a research director with research firm Gartner, wrote in an April corporate blog posting. “Now, that somebody might be spread across two or more organizations (your CSP, your MSSP, your own organization, the consultants you hired, etc.) but they have to be there.” Some cloud models can monitor the entire stack, including user activities.
3. Data Sharing
Companies embarking on a public-cloud adventure should ask vendors about access to relevant log data. “Sometimes SaaS providers don’t like to share log data at all,” Carey said. “Ask what you’re going to see, what sort of information you can obtain from those logs. I would speak to a current customers who’s dealt with those issues.”
“Make sure the provider is certified to host the data, because technically you’re going to be the one responsible when it all comes down to it,” Carey said. “You need to make sure it’s certified.”
5. Penetration Test
“Providers sometimes have you test a developer environment, but you want to test the production environment,” Carey advised. “Test it before people can use it.”
Some cloud providers offer their own penetration testers, which is a good thing. “Not only does it show that they take security seriously, but it means that you can leverage their internal testing results for your own audits,” Aaron Bryson, a senior information security engineer and risk management specialist for Cisco, wrote in an August 2011 corporate blog posting. “If you do not have the money for your own penetration testing team (either in-house or third-party), you may be able to request detailed audit reports from the [cloud service provider] relative to your company.”
According to Bryson, securing the public cloud also involves asking a lot of questions. Does the service provider keep the system up-to-date on patches? What methods do they use to test security? Have they performed Web application and Web service penetration testing? Also, be aware of any contract stipulations regarding penetration tests between your company, your service provider, and, if applicable, a third-party pen-test team.
Obviously, this is only a short overview of the considerations involved in securing an organization’s presence on a public cloud. Whatever type of cloud deployment a company ends up choosing, though, security should always remain a prime consideration.