Amid a backdrop of global competitive pressures and sweeping mandates for changes, many businesses are looking to a new IT delivery service model - cloud computing -- to help them meet the business challenge of “How can I do more with less?”
Despite the benefits, many organizations are holding back from adopting cloud computing because of concerns about security of their data. An IBM study, Driving Profitable Growth through Cloud Computing, found that 80% of enterprises consider security the number one inhibitor to implementing cloud computing. Forty eight percent of enterprises are concerned about the reliability of cloud computing and one third are concerned that cloud computing will interfere with their ability to comply with regulations.
While these concerns are understandable, given that cloud computing is a new delivery model, they should not hold businesses back because these can be addressed through a systematic approach.
Over the past three years, IBM has partnered with clients around the world to deploy different types of clouds. Based on that experience, we suggest that businesses first of all take a step back, and ask themselves some basic questions to determine if cloud deployment is right for them.
The questions include:
- Could we utilise cloud services, and why?
- How will cloud computing support our business and IT objectives?
- What types of workloads can be moved to the cloud?
- What types of services would be most appropriate?
- Would our current IT infrastructure support cloud service delivery?
To get started with secure cloud computing, below are three key principles businesses need to take note:
Think holistically. To lower security exposures and ensure cloud resiliency, organisations need to take an end-to-end approach when developing a strategy.
Examine the risk levels of different workloads. Not all workloads are equal. Development and testing carry lower risk than processing highly regulated or proprietary information, such as personal data that require direct visibility and control. Businesses have to examine the risk levels of their different workloads and decide what risk level they would take.
Understand, and take responsibility for, securing cloud computing. Both cloud service consumers and cloud service providers – whether internal IT departments or external service vendors – have responsibilities for cloud security. Their responsibilities shift with different types of cloud computing services. For instance, end users take much bigger responsibility for infrastructure-as-a-service than for an application-as-a-service model. Organisations need to understand and agree with the service providers on their respective responsibilities.
From decades of experience building and managing data centres for banks, governments and other organisations, IBM has developed a business-driven, holistic foundation for thinking about enterprise security. Though cloud computing is a new model, we have found that the framework is applicable to our cloud engagements too.
The IBM security framework examines security risks from end to end covering the following core domains:
People and identity. Organisations need to make sure that authorised users across their enterprise and supply chain have access to the data and tools that they need, when they need it, while blocking unauthorised access.
Data and information. All sensitive or regulated data needs to be properly segregated on the cloud storage infrastructure, including archived data.
Application and process. Application and environment provisioning for secure cloud applications and provider processes needs to be established.
Network, server and end point. In a shared cloud environment, the service provider needs to maintain environment testing and vulnerability/intrusion management. It must also configure trusted virtual domains to ensure a secure cloud operating environment.
Physical infrastructure. Resiliency and continuity of cloud computing resources is another important cloud security requirement. The cloud data centres should be physically secure against unauthorised entrance and protected against unexpected disruptions, including natural disasters.
On top of the above components, a governance and audit management program has to be implemented to ensure regulatory and auditing compliance, and to provide visibility into the security posture of the cloud.
Organisations that want to enjoy the benefits the secure cloud computing – whether they are planning to subscribe to public cloud services offered in the market or build their own clouds behind corporate firewalls – have to look into all the above areas. In addition, the experience and expertise of the IT and security professionals involved in cloud services provision are critical.
There is no one-size-fits-all model for security in the cloud. Organisations have different security requirements that are determined by the unique characteristics of the workload they intend to migrate to the cloud. But using a holistic, end-to-end approach, they can gain a better understanding of the risks and make informed business decisions. Rather than being held back by security concerns, they can capture the benefits of cloud computing and help drive business success.
About the Author