For a rapidly growing roster of companies with critical data, migrating to the cloud has moved from an idea to reality. But while cloud services promise rich economic benefits, scalability and flexibility, they also can trigger significant risks for companies highly concerned about security, data protection, reliability and availability.
Primarily, breaches of cloud data could prove devastating and costly, with any breaches sparking downtime. Still, for increased security, you may want to consider the cloud. While this goes against conventional wisdom, there are reasons it makes sense. One, partnering with a vendor with a dedicated data center and one that follows a holistic approach to serving customers can alleviate security concerns. Why? Because of the single-minded obsessiveness that these vendors must bring to bear.
Indeed, a third-party data center with SSAE16 Type II certification will meet and probably exceed security of centers without this certification. Any cloud environment should be within this very secure type of data center (certified by a third party to meet this internationally recognized third-party assurance audit designed for service organizations).
Two, companies that employ the cloud on their own don’t always have the dedicated expertise to evaluate all of their security and data protection needs. One company, for example, had a growing business and wanted to employ the cloud. But its data center, with a decent-sized server farm, was housed in a converted office space, with cardboard boxes cluttering the space, and a haphazard approach to IT management. Neither system nor access was truly secure, reliable, or available. A data center with operations already tailored to monitoring and managing services for customers can leverage those well-honed skills to enhance cloud offerings.
Safety in the Cloud
Third, data can be protected by taking the proper steps. Although “security of my data” is frequently listed at the top of cloud concern surveys, it’s untrue that data just floats in the cloud where anybody can see it. What is true is that some cloud engagements can provide higher security than others, including do-it-yourself projects. The key is to find the vendor that demonstrates this. No inherent reason exists that automatically makes cloud-based data less secure than data not in the cloud.
If you partner with a data protection vendor, you can count on physical security – a fully protected secure data center – and a multi-element security system in the cloud that isolates and safeguards your important company data with firewalls and threat management. Data protection is tightened by adding layers of detection and security.
What about protection from savvy cybercriminals? A data-protection vendor responsible for safeguarding many customers in the cloud actually can typically thwart cybercrooks better than organizations can manage on their own because expertise can be pooled and leveraged for maximum scale.
An experienced threat manager with security expertise and architects in place can greatly reduce the probability of cyberattacks occurring in the first place. (Remember, however, that 100 percent protection from a breach can never be guaranteed.) When a managed database-services provider with its sophisticated detection systems and defenses is monitoring customers, the cloud operations center can spot and address a perceived problem quickly because of the overall larger dedicated base that must be protected.
The IT staff also constantly tests all layers of protection, ensuring that systems are up to date, that all needed patches have been made, and that all housekeeping chores are taken care of. This protects cloud implementations from snooping by other customers within the same environment. Hypervisors prohibit such cross-virtual machine (VM) traffic.
Cost, of course, is a concern that invariably emerges. Usually, cost comes down to how much risk exists and how much you’re willing to spend. Any company using a reputable services provider will get some level of security. But there are multiple variables to consider, including the number of firewalls needed, tighter rules, and degrees of alarm systems.
It often becomes a matter of basic security with additional options. Companies with critical data often consider more sophisticated security systems because of the particular sectors they’re in and the sensitivity of their data, or because regulators require a certain level of protection.
Companies with critical data (and really, what company does not have critical data?) that are considering moving to the cloud must adopt a mindset that a cloud environment can actually provide more security. They must demand that their potential providers prove this. This mindset can help you select a provider that can truly enable a secure, reliable, and available production environment for your specific needs.
Getting started is easy to do. Simply ask yourself several key questions, such as:
· Can I scale up (and down) easily?
· Can my provider clearly demonstrate a high degree of security for my data?
· Can the implementation display a level of availability and reliability consistent with my needs and budget?
· Can my provider add services on top of what I’ve got, but that I don’t want to handle myself?
· Can my data be protected and reliably backed up?
Some of these questions aren’t specific to the cloud. But you should address all of them if you’re moving in that direction.
Len Whitten is director of cloud services product management at SunGard Availability Services.
Edited by Stefania Viscusi