Friday, October 5, 2012

GHC12: Security and the Cloud

Susan B. Cole, Exceptional Software Strategies, Inc. started out with a great explanation of what exactly the cloud is and what goes into it (data, mostly). Advantages of the cloud? On demand self-service, broad network access, resource pooling, rapid elasticity and measured service.

Cloud is important - you're probably using it even if you don't realize it. Things like Dropbox and Google Docs are all cloud services. (note: I LOVE Google Docs! Being able o have multiple people modify a spreadsheet without emailing back and forth large files and constantly changing the name to add versioning is so nice!)

The problem, though, is a lot of people end up creating their own clouds out of necessity, but do not consider security - so, it's good to use large providers who have this built into their solutions already.

A big benefit of cloud: money savings. For example, the city of LA saved $1.1 Million per year by switching to Google Mail and Google Docs.

But, before you move to the cloud, make sure security and confidentiality are covered and get this is in writing! Service level agreements and contracts are required. You will no longer be in control of your data.  Look out for different tenants using the same instance of service but unaware of strength of the other's security controls, most SLAs do not have security guarantees, and once you're on the cloud, you are open to the world's hackers.

Ask where your data is? If your company is in Maryland, but your data ends up in California you need to be aware about California laws on data protection, as your local state laws will unlikely apply.

Can you get auditing from your cloud provider? HIPPA and PCI help with medical and financial cloud providers, but you need to even check those to make sure they are in compliance.

While you can do penetration testing on your own network, you can't do this against your cloud provider - the provider won't be able to  distinguish your test from a real attack and... what if it works and then you take down another tenant?  You need to get your provider to do regular security assessments and you'll have to ask for the reports.

 If the provider cannot or will not provide this data? You shouldn't use them!

Does your cloud provider encrypt the data between their network and yours?

You need to be in charge of asking these questions to protect your data - meet with your cloud provider regularly!

This post syndicated from Thoughts on security, beer, theater and biking!