When a family with a baby buys a new car, they don't buy a car seatfrom the vehicle manufacturer: There is specialized equipment tohandle the family's most sensitive asset. John Pescatore, a Gartnervice president and security analyst, says cloud security can be thought of in a similar way:Users shouldn't rely on their cloud service provider's securityfeatures to protect their most critical data. Sensitive information that needs to be protected -- customer data,mission critical applications , production-grade information -- in many cases needs its ownsecurity controls to be fully protected. "As you move out tocloud-based models, there are some things you can trust your cloudprovider with, but for critical business data andregulation-controlled information, very rarely is theinfrastructure going to be enough," Pescatore said during a webinarsponsored by Gartner this week. AS YOU LIKE IT: Customizable cloud SLAs on the way, researchers predict MORE CLOUD: 5 desktops in the cloud Security remains a top concern for companies looking to deploy acloud strategy, but Pescatore says there are ways to alleviate thefears. One key, he says, is to have security provisions that aredesigned to specifically protect cloud applications, data orworkloads. A prime example is credit card information. Payment CardIndustry (PCI) certification requires that any customer credit carddata that is stored electronically be encrypted. Some cloud serviceproviders will offer encryption services within their cloud-basedstorage offering. But, there are a range of third-partyapplications that customers can buy to provide encryption services,distributed denial-of-service (DDoS) protection, and access controlmeasures that are tailored specifically for cloud deployments. Manyof these are delivered in a cloud format. There are a variety of cloud security products on the market fornumerous functions. Providers such as Zscaler, Websense or ScanSafefrom Cisco are "gateway" products that sit between the user and the cloudprovider to monitor what data is being put into the cloud and tomake sure malicious data or applications don't penetrate into theuser's system. If the cloud is being used to host a website, thereare website protection services, such as Imperva, CloudFlare andeven some from Akamai in this area, for example. Overall though, Pescatore says cloud security starts at a basiclevel. Most enterprises begin their journey to the cloud with aprivate, internal cloud, and that's a good place to start withsecurity controls, too. "Get security right in the private cloudfirst, then extent it into the hybrid and public," he suggested.Having processes in place to protecting virtualized environmentsfrom outside attacks is important, he says. "Get visibility intothe system, the change controls and the vulnerabilities," he says.This includes securing the orchestration of the architecture andthe provisioning of new accounts, domains and virtual machines. The migration beyond a private cloud is usually then towardincorporating some public cloud services. Many times companiesexpand to public cloud services for non-mission criticalapplications though, such as test, development or burstingcapacity. So, not everything may have to be secured to a maximumsecurity level. "Protect the sensitive information and only put theless sensitive data into the cloud in the native form," he says,referring to the process of tokenization. Pescatore says the focus for cloud security should be on theprocesses of protecting the cloud. Create policies for cloudsecurity, then make sure they are implemented throughout the clouddeployment and stick with them. The vulnerabilities are createdwhen there are inconsistent policies or unenforced securitycontrols, he says. "We really have not yet seen major new attacksthat are trying to compromise the cloud infrastructure or the virtualization layer," he says. "The reality today is that the easy pickings (forthe hackers) are attacking the companies using the cloud services." The good news is customers have a wide variety of options. Forlow-level security requirements, the cloud service provider, eitheron the infrastructure or software as a service side, usually eachhave their own security features. Amazon Web Services is FISMAcompliant; FireHost, another cloud service provider, is PCIcompliant. At the least, Pescatore says users should look for theirproviders to be ISO 27001, SOC 2 or SOC 3 certified. Beyond that,and especially for sensitive information, there are third-partysecurity offerings for a range of uses. Network World staff writer Brandon Butler covers cloud computingand social collaboration. He can be reached atandfound on Twitter at @BButlerNWW. The e-commerce company in China offers quality products such as Sports Silicone Wristbands , Silicone Ion Sports Watch Manufacturer, and more. For more , please visit Hologram Wrist Band today!
Related Articles -
Sports Silicone Wristbands, Silicone Ion Sports Watch Manufacturer,
|