Grounded in the Cloud
Showing results for 
Search instead for 
Do you mean 

5 keys to a secure cloud—but no guarantees

on ‎08-03-2014 07:06 PM

A lot of ink has been spilled about cloud security. Rather than talking abouts the fear factor—should you trust your mission-critical apps and data to the cloud?—I'd like to share some concrete advice on how to achieve a more secure cloud in a hybrid IT environment. By looking at five key areas when choosing a cloud provider, you can improve the odds that your cloud won't fall prey to a malicious attack or an infrastructure failure. I use the phrase "improve the odds" deliberately, because no cloud solution is failsafe. If someone tells you otherwise, you should find a new cloud provider.

 

People frequently confuse security with compliance. Complying with industry regulations such as HIPAA and PCI-DSS can help protect your hybrid IT environment, but it's no substitute for a well-defined security strategy.

                                                                                                                                                                                         

For example, consider if you're hosting sensitive financial data in a private cloud with appropriate security controls. If you have to engage in disaster recovery, some of that data may burst to the public cloud environment, which may have different trust attestations. The data might stay there, without you knowing if it's been encrypted or securely stored.

 

Achieving a (more) secure cloud

When evaluating a cloud provider, consider these factors:

  • Industry best practices. You need to guard against vulnerabilities that range from poor configurations to bot net zombies. Some threats come from the inside. Asking your cloud provider how they patch their systems is a basic question, but it's crucial. You need to verify that your provider is following industry best practices. If they say they have industry certifications, ask them how they're updating them, and what sort of attacks are related to those guidelines.
  • A transparent, shared responsibility model. For example, as part of Amazon Web Services security best practices, Amazon states that its customers must follow the shared responsibility model. This requires customers to secure operating systems, platforms, and data. AWS in turn states it will secure its infrastructure and compute, storage, networking, and database services. Responsibility for security should fall on both the provider and the customer. In turn, your provider should be able to address any security concern that you have in a transparent manner.
  • Comprehensive security features. Though not foolproof, full-featured security products can play a central role in guarding against intrusions, especially if they include tools for monitoring, logging, and reporting events.
  • Up-to-date security research. An attacker can take advantage of the security research just as easily as a provider can. No solution is invulnerable. By following trends and staying on top of new findings, a cloud provider can help guard against attacks that originate both inside and outside your firewall. HP is dealing with 300 million hits per day on HP.com, managing over 150,000 mobile devices and 1.2 million connected devices across the globe. HP conducts continual security research and threat analysis – using solutions such as Fortify to scan millions of lines of code that are runnings on HP’s IT infrastructure, and ArcSight to log and analyze over 12 billion security events per day.
  • External partnerships. Such partnerships can help your provider be aware of the latest security research. HP is an executive member of the Cloud Security Alliance, a not-for-profit organization dedicated to promoting the use of best practices for providing security assurance within cloud computing. A coalition of industry practitioners, corporations, and associations leads the alliance.

 

Ask an expert

When it comes to cloud, going it on your own can be a big mistake, as I discussed in my previous post. HP Helion OpenStack Professional Services can help you conduct a risk assessment and assist you with securely building and deploying workloads in the cloud.  For more information on HP cloud solution, visit hp.com/helion

 

Watch this video of my HP colleague Ben de Bont recently talked about a blended approach to the hybrid cloud security.

0 Kudos
About the Author

TerenceNgai

Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all