It’s now part of the conventional wisdom that cloud computing has altered the information technology delivery model. The steady embrace of the cloud among manufacturers large and small does not, however, mean that organizations can or should let their guard down on matters of security and data protection. While cloud server hosting provides compelling benefits, security is an essential part of any discussion of cloud adoption. Mitigating security risks is imperative to creating a comfort level among CIOs and CISOs, to transition applications and data to the cloud.
Applications, systems and data all have different security thresholds. For example, web, mobile and social can be moved to a virtual server without the same degree of security concern as there is for regulated information or mission-critical applications. When deciding whether an application, product or service belongs in a cloud server, CIOs and CISOs must consider:
- Type of data or application;
- Service-level agreement;
- Security environment.
The decision to move to the cloud, especially the public cloud, should depend on the sensitivity of the data and the level of security offered by the cloud provider. The final question should be whether the business value offsets the risk.
According to Gartner security analyst Neil MacDonald, quoted in CIO Magazine, the issue isn’t that virtual servers are less secure than other types of servers. In fact, virtual machines actually tend to be more secure than standalone servers, primarily because they’re more isolated and because they rely on a single host server. That makes issue of physical security less complicated than if each server resided on a separate piece of hardware, per MacDonald.
There’s a “but” there, however. “Each one of those virtual servers is still its own separate server,” CIO quoted MacDonald as saying. “Each one has its own operating system and configuration that may or may not be according to the standard set by the parent company. And every one of them has to be patched and maintained the same way a non-virtual server does to keep up with potential vulnerabilities; a lot of people forget about that, but it makes the situation a lot more complicated.” And that matters because there is at least the potential for anyone managing virtual servers to lose control of them by not recognizing risks as they arise. Ironically, a few years back, the NSA commissioned several software development labs to devise a virtual server management solution.
Cloud service providers (CSPs) are beginning to put a greater emphasis on security protections, with technologies like clustered firewalls and IDPS (intrusion detection and prevention systems). In the cloud’s infancy, CSPs touted scalability, initial cost savings and speed. But the prospect of enhanced security in the cloud – indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop – has altered the conversation. Manufacturers assessing cloud service providers can now seek out CSPs whose security controls mitigate the risks of moving to the cloud.
When considering a move to virtual server hosting, CIOs and CISOs need to check for audits of a CSP’s security controls. Look for providers who have passed the SSAE (Standards for Attestation Engagements) No. 16 Type II audit, one of the most rigorous auditing standards for hosting companies. The audit confirms the highest level of service and reliability attainable for a virtual server hosting company. To be SSAE compliant, a hosting provider should offer SSL capability, enterprise-level, application level protection, hardware firewall, IP-restricted FTP, managed backups with 14-day retention, advanced monitoring and multi-level intrusion prevention.
In addition, an increasing number of CSPs are using the American Institute of Certified Public Accountants’ Service Organization Control process (SOC), the organization’s certification of controls with verification for cloud environments. Some of the larger cloud service providers now publish SOC reports on their security controls. Mandates from CIOs and CISOs may be required before SOC reports are published by all cloud providers.
Now more than ever, cloud service providers are realizing that managing security is fundamental to facilitating cloud adoption. Those cloud providers concerned about safeguarding their manufacturing clients’ data and applications are taking steps to mitigate those risks with tight security controls — and transparency regarding those controls.
Adam Stern is founder and CEO of Infinitely Virtual (www.infinitelyvirtual.com), which offers cloud-based InfiniteERP.