Cloud Security – an oxymoron or matter of policy?

We all know what an oxymoron is, adopted phrases that seem to describe something but use two diametrically opposed words to convey them, e.g., A Fine Mess, A Little Big, A New Classic, Accurate Estimate, Almost Ready, Awfully Good, Auto Pilot, About the Same, Anxious Patient, and so one.

So we have a new one, Cloud Security, or is this really an oxymoron?

It has been assumed by many that putting your information in the cloud is less secure than having it in your network servers, in your building, in your suite, where you can put a hand on it if needed.  The very places where your IT staff and users have direct access to your intellectual property and the physical hardware that holds it, then again, so does everyone else on the planet for that matter.

The very place that if a fire or natural disaster happened to level the building, could very well put you out of business altogether, never mind a rampant virus or disgruntled employee, occasional thief, or drunk driver that takes out the power pole on the corner Saturday night.  All of these things can happen, they do happen, and they happen without any notice.  Are you prepared?

Security is in the eye of the beholder in this case.  A cloud provider’s architecture assumes security and redundancy and business continuity above everything else.

Today, the BOTnet and computer Trojan attacks are so common they barely make the news, because general computer security and antivirus software is getting that much better at keeping them from the headlines.  The biggest threat still comes from outside of your local network.  There are two fundamental considerations in security design:

  1. The overall level of security protection is only as good as the lowest common denominator, as attackers will always find the weakest link, ALWAYS!
  2. Complexity is the enemy of security.  Comprehensive security approaches have the upper hand.

Security Policies define the simplest, lowest common denominator necessary to meet business security goals.  In order to accomplish this objective the following topics must be considered.

  • Virus Protection
  • System Penetration
  • External hacking
  • Theft of proprietary information
  • Theft of transaction information
  • Financial fraud
  • Unauthorized insider access
  • Denial of service (DoS)
  • Web site vandalism
  • Internal hacking
  • Physical break-in and/or theft of computer equipment

Your Local Network:  Complex and costly solutions

Policies are needed to cover your entire local network.  Those policies need to be policed, monitored and tested by software, hardware and people.

  • An Overall Data Security Policy – including your IT Staff
  • A Network Access Security Policy – including secured remote access
  • A Server and Workstation/Laptop/Device Security Policy – minimum acceptable configurations and security implementations and controls before anything touches your network
  • Business Continuity Policies – redundancy, backup, resumption

By implementing these policies and the electronic controls to govern them, you can effectively thwart most any conventional attack, and have a solid plan for recovery if something does get by your fences.

Please keep in mind, this is just a taste of what’s needed.  Once firewalls, content filtering, data management and access controls, device access controls, remote systems access, and others are all implemented, they need to be monitored, updated, and tested on a very regular basis.  Oh and lets not forget reported on to management.

The Cloud Network:  Complex and costly solutions too!

Cloud providers vary in service level and offering from simple email hosting to full application and data warehousing for your company.  Their level of security and controls compliance also vary, depending on their focus and niche specialty.  The one thing they all have in common – security as a core practice.

Cloud providers know they are under all our scrutiny, magnifying glasses and general doubt.  After all, why store your data and applications in the cloud (Internet) where all the viruses are to begin with?  That’s the assumption and perception that Cloud providers have been dealing with for a decade now.

In reality, they are more secure than most companies could ever afford to be.  They have to be to gain your trust.  They have dedicated teams, working 24×7 monitoring security and creating policies, protecting your data, and ensuring that nobody else can see your data but you, per their Service Level Agreements.

Can a cloud provider be hacked?  Yes, every network can be hacked, but the real question is this:  Can I afford to make my network just as secure if not more, just as redundant if not more, just as reliable if not more, fully Business Continuity Centric if not more?  That answer is likely No, unless you are Fortune 2000 or better company.

Leave a Reply