Surely, common sense dictates, it's safer to keep your servers, applications and data securely on your own premises? Not necessarily. In fact, some proponents of the cloud argue that buying services rather than servers can be more secure.
Let's take physical security first: how vulnerable is your infrastructure to floods, fires, theft and catastrophic hardware failures? Unless you're in the top echelon of South African corporates and running your own data centre, the answer may be scary.
In this, as in other things, economies of scale matter. A specialist data centre serving scores or hundreds of clients can afford to invest in far better physical security than your average business ever can.
Once you leave physical objects behind and concentrate instead on your applications and data, the mental map of your organisation needs to change. The logical boundaries of a business have nothing to do with office walls. Instead, they're all about firewalls. If your data is secure behind your own firewall, it doesn't matter whether it's physically stored in Johannesburg or Jakarta.
And here again, cloud service providers benefit from economies of scale, being able to afford specialist skills and knowledge, as well as raw computing power, not available to the rest of us.
“When you move to the cloud, your security gets better and costs less,” says VMware Southern Africa regional director Chris Norton. “Consider anti-virus scanning: the bigger the organisation, the longer it takes to scan every machine and the more productivity is lost. It's an overhead that larger cloud service providers can factor in more easily. We have protection at the level of the physical hardware: we can stop a malicious attack before it even hits the operating system, with less overhead.”
VMware is also, says Norton, “working with security vendors to develop appliances to lock down and secure the infrastructure in third-party environments, including firewalling, attack protection and virus protection.”
Follow the old rules
Then there's the fact that the rules of providing security don't change when systems move to the cloud. “There is a whole set of global standards against which we can measure our security,” says Albie Bester, Microsoft's cloud business development manager for South Africa. “We're not starting from scratch; all the basics of providing a secure IT environment, with the right physical and logical access control and security, still apply.
“We have seven layers of security,” adds Bester, “from physical access control at our data centres through to firewalls, data encryption, and the rest. We've learned a lot from our own experience of cloud services like Hotmail and Windows Update. There's no site on the Internet with anything of value that doesn't get targeted, and we're always trying to stay one step ahead. Complacency is your biggest threat.”
There is a whole set of global standards against which we can measure our security.
Albie Bester, cloud business development manager for SA, Microsoft
It's also important, says Bester, to ensure that cloud service providers not only have great security procedures in place on paper, but actually enforce them.
“If you don't enforce your procedures they're worthless, and if you don't have frequent independent audits, all you have is good intentions,” he says. “But if you do it right, any organisation that measures their current data centre will see that they can get better security by moving to the cloud.”
Nothing about existing security measures needs to change when infrastructure or software services move into the cloud, says Business Connexion's GM for services Julian Liebenberg. “Your perimeter security stays in place, your governance rules stay the same, you still have the same anti-virus protection - it all stays intact,” he says.
Lock up your data
What does need extra protection, he says, is data. “Any organisation that is going to be entrusting data to the cloud needs to insist on very strict data security SLAs,” he says. “Encryption is popular, but not adequate if you're only getting session encryption; you need to encrypt the data where it is being stored as well. It should only ever be unencrypted when it's in authorised and legitimate use.”
Accenture's Willem Thompson adds that companies should plan carefully before moving any data into the cloud.
“You need to decide exactly what you will move, and what you won't. Then it is your responsibility to put the right policies and procedures in place to protect that data. The vendor doesn't know what data you are moving, or how important it is - that is the client's responsibility.”
BT Global's Todd Schoeman believes the data risks are significant and need to be carefully considered.
Customers must make sure their cloud suppliers are frequently audited for security. Without auditing, all they can offer is good intentions.
Albie Bester, cloud business development manager for SA, Microsoft SA
“If you put your corporate data into a service provider's network, you might lose control of it. There is a governance risk involved. Banks, for example, will never put their customers' credit card details into a cloud; they need to be able to control the data security absolutely.”
Finally - but critically - where your services and data reside has no bearing on one of the largest security risks of all: people.
“The easiest way to hack a system is still to pay someone for the passwords,” says Herman van Heerden, executive director of New Order Industries. “Things aren't any different in the cloud. You still need to control access to your system, from the inside and from the outside, and to monitor that access in real-time, or as close to it as you can get. Your security needs to be baked into your systems from the start, regardless of where they are.”
Frost & Sullivan - are you asking the right questions of your cloud provider?
Research house Frost & Sullivan recommends asking the following business-focused questions when considering the adoption of cloud solutions and selecting a vendor:
* Regulatory compliance: how will your risk exposure change? What are the implications of cloud solutions on your regulatory mandates?
* Data storage: is storage performed by the service provider or a partner? Where is the data stored - on-shore or off-shore? What are the implications of off-shore storage? Can you be certain that nothing more than the appropriate data is being moved into the cloud?
* Data access: how is the classification of data determined? What internal process controls does the service provider use to ensure confidentiality, integrity and availability of data? Does the service provider have the necessary security controls and clearance to access the data?
* Data breach: what indemnity and legal protection is afforded in the event of a data breach? Will the service provider be transparent during a forensic analysis? What is the data breach notification process? Is there a procedure for handling potential brand erosion in this event?
* Data retirement: what are the procedures for data retirement and can the internal controls be audited?
* Multi-tenancy: will shared infrastructure compromise your organisation's business integrity? What protection and processes exist to create 'layers of separation'?
* Best practices: what best practices are used by the service provider (eg, ISO, SAS 70, etc)? How can these practices be audited and monitored?
* Service-level agreements (SLAs): does the SLA address more than availability metrics? Is it possible to enforce penalties or does the SLA operate purely on a service credit basis? What is defined as 'beyond the control'?
* Compiled by Tamsin Cracknell
Share