5 keys to a secure cloud—but no guarantees

cloud security2.jpgA lot of ink has been spilled about cloud security. Rather than talking abouts the fear factor—should you trust your mission-critical apps and data to the cloud?—I'd like to share some concrete advice on how to achieve a more secure cloud in a hybrid IT environment. By looking at five key areas when choosing a cloud provider, you can improve the odds that your cloud won't fall prey to a malicious attack or an infrastructure failure. I use the phrase "improve the odds" deliberately, because no cloud solution is failsafe. If someone tells you otherwise, you should find a new cloud provider.

 

People frequently confuse security with compliance. Complying with industry regulations such as HIPAA and PCI-DSS can help protect your hybrid IT environment, but it's no substitute for a well-defined security strategy.

                                                                                                                                                                                         

For example, consider if you're hosting sensitive financial data in a private cloud with appropriate security controls. If you have to engage in disaster recovery, some of that data may burst to the public cloud environment, which may have different trust attestations. The data might stay there, without you knowing if it's been encrypted or securely stored.

 

Achieving a (more) secure cloud

When evaluating a cloud provider, consider these factors:

  • Industry best practices. You need to guard against vulnerabilities that range from poor configurations to bot net zombies. Some threats come from the inside. Asking your cloud provider how they patch their systems is a basic question, but it's crucial. You need to verify that your provider is following industry best practices. If they say they have industry certifications, ask them how they're updating them, and what sort of attacks are related to those guidelines.
  • A transparent, shared responsibility model. For example, as part of Amazon Web Services security best practices, Amazon states that its customers must follow the shared responsibility model. This requires customers to secure operating systems, platforms, and data. AWS in turn states it will secure its infrastructure and compute, storage, networking, and database services. Responsibility for security should fall on both the provider and the customer. In turn, your provider should be able to address any security concern that you have in a transparent manner.
  • Comprehensive security features. Though not foolproof, full-featured security products can play a central role in guarding against intrusions, especially if they include tools for monitoring, logging, and reporting events.
  • Up-to-date security research. An attacker can take advantage of the security research just as easily as a provider can. No solution is invulnerable. By following trends and staying on top of new findings, a cloud provider can help guard against attacks that originate both inside and outside your firewall. HP is dealing with 300 million hits per day on HP.com, managing over 150,000 mobile devices and 1.2 million connected devices across the globe. HP conducts continual security research and threat analysis – using solutions such as Fortify to scan millions of lines of code that are runnings on HP’s IT infrastructure, and ArcSight to log and analyze over 12 billion security events per day.
  • External partnerships. Such partnerships can help your provider be aware of the latest security research. HP is an executive member of the Cloud Security Alliance, a not-for-profit organization dedicated to promoting the use of best practices for providing security assurance within cloud computing. A coalition of industry practitioners, corporations, and associations leads the alliance.

 

Ask an expert

When it comes to cloud, going it on your own can be a big mistake, as I discussed in my previous post. HP Helion OpenStack Professional Services can help you conduct a risk assessment and assist you with securely building and deploying workloads in the cloud.  For more information on HP cloud solution, visit hp.com/helion

 

Watch this video of my HP colleague Ben de Bont recently talked about a blended approach to the hybrid cloud security.

Labels: HP cloud
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.