T-Systems’ AJ Hartenberg looks at the 5 biggest cloud security considerations.
Your Cloud provider certainly has the responsibility to ensure top-notch security, at both a physical data centre level, and the protection of your data itself. But as a customer, you simply cannot shirk the overall responsibility – to select a secure cloud partner and platform, to ensure you comply with your industry’s data governance laws, and use the latest multi-factor authentication and encryption tools. Ultimately, legally speaking, the mandate of being the sole data trustee cannot be outsourced to your Cloud provider.
Look at every aspect of the Cloud platform you choose, such as the physical security systems used at the datacentres, the type of hypervisor that’s used to generate virtualised computing services, the APIs connecting services to each other, and more. Double-check that your Cloud provider complies to local and international data security/privacy laws, as you conduct your thorough due diligence on their platform.
Have you confirmed that your Cloud provider can provide you with a secure online tunnel to their data centre? Have you vetted their data security controls, including the hashing of data? And are they conducting regular penetration tests on their network? These are certainly the kinds of questions you should be asking. Closer to home, you will need to evolve your own organisation's local network to ensure that your network security operations are orchestrated to handle Cloud migration.
The latest advances firewall services can be found in Virtual Domains (VDOM) that segregate any unauthorised network traffic coming into your VLAN, leaving you with a clean, point-to-point connection to your Cloud service provider. When used in combination with strong network security controls, the firewall is a powerful weapon in one’s arsenal of defence weapons.
As you build your Cloud security capability, understand the most critical skills that are required (either in your in-house team or within the Cloud service provider). Look at areas like compliance, risk management, data laws, communication, encryption, penetration testing, and network security. Conduct regular vulnerability assessments that include a skills matrix, to understand and address any gaps in expertise.