More so than other types of hosted environments, when it comes to the cloud, companies worry about the "S" word: Security.

However, most concerns around security are based on fear rather than reality. There are three important things you need to know about cloud security.

First, cloud security is almost exactly like your internal security. The security tools you use every day are the same tools that will be used to protect your data in the cloud. The one difference is that the cloud is a multi-tenant environment with more than one company sharing the same cloud service provider

Second, security issues involving the cloud can all be addressed using your current security tools. Security needs should be carefully considered. But they shouldn’t be viewed as a hindrance if you are considering a move to the cloud. The commodity nature of IT will, over time, require that you move some of your technologies to the cloud to remain financially competitive. So you should begin addressing your security issues now and get ready for the move.

Third, if you select a quality cloud services provider, your security in the cloud will be as good as, or better, than your current security in most cases. Typically, the level of security you get will be designed to meet the needs of the most risky client in the cloud.

“Any organization that says it has never had a security incident or data leak is being deceptive or is unaware of the incidents that it has had.”

IT: Internal or External?

Before addressing the issue of security in the cloud, it may help to address another question first. And that question is not whether to move IT into the cloud, but what should move there. Consider commodities, for example. When businesses started taking advantage of IT, the first organizations to computerize their business processes had significant gains over their competitors. As the IT field matured, the initial competitive benefits of computerization fell. Computerization then became a requirement just to stay on a level playing field. In essence, there is an increasing amount of IT that operates as a commodity.

For example, a paper products company needs a certain amount of unique IT to run its business and make it competitive. But it also runs a huge amount of commodity IT. The commodity technology takes time, money, people and energy away from their business of producing quality paper products at a competitive price. Cloud computing allows companies to offload these commodity technologies and free up resources and time to focus on the core business.

To help you determine what parts of your IT can be moved externally, your first tool is the commodity IT analysis form. This can help you list out all of the functions that your IT organization performs and determine if you think this activity is a commodity or not. Using the fictional paper products producer as an example, eight current IT functions could be considered commodities. Of those, six of them could easily be moved to a cloud provider.

Internal IT Security

The greatest challenge internal IT faces is a perception by some that it no longer helps businesses differentiate themselves from competitors. This devaluing of IT means that many organizations fail to adequately fund required budgets to operate a first-class IT infrastructure. Add to this the increasing number of security mandates from external and internal sources, and IT can’t always fund and operate the in the manner required.

The next problem involves specialization and its effect on business function. Businesses exist as specialized entities. An automotive manufacturer, for example, avoids starting a food production business even though it could feed its employees. Why? For an automotive company, producing food products is not the core business. When you look at funding and maintaining a non-core part of the business, it becomes apparent why IT faces a problem.

For the automotive manufacturer, it is unlikely that its IT department will be as successful as its manufacturing business because it is not its core business. Conversely, a business that has IT as its only product line, or service, should be more successful at providing first-class IT. So, if an automobile manufacturing company is not going to operate a best-in-class IT business, why would we expect its security to be as good as the best-in-class IT company? A company that does IT as its business has a much better chance of securing your data. The quality of its product, and its market success, stands on the effectiveness of its security.

Cloud Security Challenges: What to Consider when Choosing a Cloud Provider

The challenges of cloud computing are very similar to those of any other organization. Like internal IT, cloud providers have internal and external threats that can be mitigated or accepted. But none of the security challenges in cloud computing are insurmountable:

Multi-tenancy:  As long as the cloud provider builds its security to meet the higher-risk client, then all the lower-risk clients get better security than they would have normally. The cloud provider must design its security to meet the needs of the higher-risk clients—and the other companies reap the benefits.

Security Assessment:  Over time, most organizations tend to relax their security posture. To combat this, the cloud provider should perform regular security assessments done by someone who is experienced and able to identify issues and fix them. The report should be provided to each client immediately after it is performed so they know the current state of the overall cloud’s security.

Shared Risk:  In many instances, the cloud service provider will not be the cloud operator. But, it may be providing a value -added service on top of another cloud provider’s service. For example, if a Software-as-a -Service (SaaS) provider needs infrastructure, it may make more sense to acquire that infrastructure from an Infrastructure-as-a-Service (IaaS) provider rather than building it. In this type of multi-tier service provider arrangement, each party shares the risk of security issues because the risk potentially impacts all parties at all layers. This issue must be addressed by taking into consideration the architecture used by the main cloud provider and working that information into the client’s total risk mitigation plan.

Staff Security Screening:  Most organizations employ contractors as part of their workforce. Cloud providers are no exception. As with regular employees, the contractors should go through a full background investigation comparable to full-time employees. The cloud provider must be able to provide its clients with its policy and document that all of its employees have had a background check performed, according to the policy. Further, clients should contractually bind the cloud provider to require the same level of due diligence with its contractors.

Distributed Data Centers:  Disasters are a fact of life. They include hurricanes, tornadoes, landslides, earthquakes and even fiber cuts. In theory, a cloud computing environment should be less prone to disasters because providers can provide an environment that is geographically distributed. But many organizations sign up for cloud computing services that are not geographically distributed. So, they should require their provider to have a working and regularly tested disaster recovery plan, which includes SLAs.

Physical Security:  Physical external threats should be analyzed carefully when choosing a cloud security provider. Do all of the cloud provider’s facilities have the same levels of security? Are you being sold on the most secure facility with no guarantee that your data will actually reside there? Do the facilities have, at a minimum, a man trap, card or biometric access, surveillance, an onsite guard, a requirement that all guests be escorted and all non-guarded egress points be equipped with automatic alarms?

Policies:  Any organization that says it has never had a security incident or data leak is being deceptive or is unaware of the incidents that it has had. It is unrealistic to assume a cloud provider will never have an incident. Cloud providers should have incident response policies. And they should have procedures for every client that feed into their overall incident response plan. Additionally, data that falls under legislative mandates, or contractual obligation, should be encrypted while in flight and at rest. Further, a yearly risk assessment just on the data in question should be done to make sure the mitigations meet the need.

Coding:  All cloud providers still use in-house software, which may contain application bugs. So every client should make sure that the cloud provider follows secure coding practices. Also, all code should be written using a standard methodology that is documented and can be demonstrated to the customer.

Data Leakage:  Data leakage has become one of the greatest organizational risks from a security standpoint. Virtually every government worldwide has regulations that mandate protections for certain data types. The cloud provider should have the ability to map its policy to the security mandate you must comply with and discuss the issues.

While security emerges as a major concern, the key to understanding security in cloud computing is to realize that the technology is not new, or untested. It represents the logical progression to outsourcing of commodity services to many of the same trusted IT providers that we have already been using for years. Examples of previous “cloud computing” capabilities include hosted mainframes (more than 40 years), hosted file and mail servers (AT&T, IBM in the early 90’s), and software services like SalesForce.com. Moving IT elements into the cloud is just a natural part of the evolution of IT.

By Carl Almond - A Practical Guide to Cloud Computing Security