Securing the Cloud

By Gareth Williams

Any cloud that relies on the public Internet for its connection is exposing its data to unnecessary risk. CIO’s and CTO’s are right to be cautious when faced with highly unpredictable access through the Internet. What is the alternative?

 

Clouds of confusion

It’s easy to forget from the constant barrage of marketing messages and hype that heralded the arrival of cloud computing that we’re still in the early days of enterprise adoption. Given the wave of enthusiasm that carried the cloud message to all corners of the IT world, it’s also not surprising that there is a still great deal of confusion regarding what cloud computing actually is.  What is broadly accepted though, is that cloud computing has the ability to fundamentally change an organisation’s IT for the better.  The cloud effectively frees the enterprise from its responsibility for directly managing large parts of its IT infrastructure. Instead, it allows businesses to benefit from increased efficiencies and flexibility by moving IT infrastructure into a shared resource, managed by a trusted third party that is the ‘cloud’.

Adding to this confusion is the variety of services available from cloud computing.  The most commonly talked about is Software-as-a-Service (SaaS), where business applications like desktop productivity, accounting, collaboration and enterprise resource planning are delivered to the user’s desktop on demand (think streamed video rather than physical DVD).  At the other end of the cloud is Infrastructure-as-as-Service (IaaS), which enables organisations to purchase processing, operating systems, storage and networking on a utility basis.

[ms-protect-content id=”9932″]

The over-emphasis on the freedom that the cloud brings, seems to have left many believing that it really does have the ability to fly or at least that it does not have to be grounded by any kind of physical asset, but rather exists, Zen like, floating within the Internet in an open access environment.  Understandably, this has lead to deep-routed concerns over the suitability of the cloud to hold sensitive and confidential data securely.  But even with SaaS and IaaS the software, applications and physical infrastructure have to exist somewhere and travelling from that place to the people who want to use it requires a physical delivery platform. It is this that dictates how secure the cloud really is.

One alternative to a public cloud environment is the private cloud. Private clouds do not cross the public Internet; they enable the same high level of protection of established private networks, but with the flexibility of an internet access model.

Is life in the cloud inherently insecure?

Three out of four businesses think so, rating security in the cloud as their biggest challenge. Whilst it is fair to say that sharing resources from a vast, undifferentiated pool of servers and switches carries its own real risks, it is the path to the cloud that businesses need to chew over first. Any cloud, however secure, that relies on the public Internet for its connection is exposing its data to unnecessary risk. CIO’s and CTO’s are right to be cautious when faced with highly unpredictable access through the Internet, where service level guarantees are non existent and the access is, well, ‘public’.

One alternative to a public cloud environment is the private cloud. Private clouds do not cross the public Internet; they enable the same high level of protection of established private networks, but with the flexibility of an internet access model.  Whilst a few question whether the private cloud is a misuse of the term ‘cloud’ due to its inference around open access shared resources, the principles of pooling resources and on-demand service are ever-present in this scenario. By taking a slice of an IP network that is separate and securely partitioned from the Internet, organisations can benefit from service level guarantees around the availability and performance of their computing resources. For corporations, this is the biggest advantage of the private cloud – vastly improved security, with the flexibility of the public cloud. Often created from privately owned infrastructure where access is tightly controlled and guarded, private clouds are much more suitable where data security is essential.

 

Security: back to basics

It might be a simple premise, but data in the cloud is like any other data governance issue: if it is poorly managed then it will be insecure; if it is properly managed then it is more secure. The cloud doesn’t naturally make your data vulnerable; security remains a function of how you control access to the data, the defences remain the same.

Unlike the public internet, security measures such as DDoS protection, firewalls, and intrusion detection and prevention technologies should come as standard in private clouds. There are legislation stamps to monitor whether the latest security measures are adhered to. By classifying data and then building the right layers of protection around it, organisations can be assured that their assets are secured.

 

Security comes at a price – build or buy?

The very fact that private clouds are built on assured and dedicated infrastructure to guarantee control and greater security, generally means that building a private cloud is the more expensive option.  After all, purchasing the infrastructure resource and the power to transform a data centre into a private cloud, not to mention centralising computer and storage systems, requires significant capital. The downside is that these clouds generally don’t deliver the key advantages of cloud computing: open access to your community, efficiency and the ability to rapidly flow data and computing resource over your “own private internet” to the entire business.  These are best served through finding a provider that can give you the privacy you need but the flexibility of the internet based solutions. Using a providers Private IP network enables your network to access shared corporate computing resources, whilst remaining separate and secure from the Internet. Private clouds bought in this way, as a service, build cloud computing into your corporate network infrastructure, offering a secure controlled cloud environment with guaranteed higher availability, inherent disaster recovery, as well as flexible and scalable capacity. This model enables organisations to benefit from a greater level of protection than a DIY private cloud, but with the flexibility of an Internet delivered model.

 

Between the ground and the cloud– hybrid cloud

As the name suggests, the hybrid cloud sits between public, private and more traditional ways of managing IT. If your IT department has just invested in physical infrastructure or if you’re running an application that won’t run on a cloud based service then you can create a “hybrid cloud”, allowing you to push some of your data into a private or public cloud. This will be a very common situation for many as they move from the traditional capital and manpower intensive model of managing ICT infrastructure, to the more flexible, cost effective and immediate delivery of the cloud.

The secret to unlocking the cloud, and getting both security and efficiency, is ensuring that business executives understand how their cloud is accessed and connected: in essence, who controls the ground beneath the cloud.

Conclusion: The ground beneath the cloud

There is no getting away from the fact that cloud computing services are still developing. And, until the fog of confusion surrounding cloud computing and its security implications clears, there will be those reluctant to adopt it. That said, the benefits – flexibility; scalable costs; and, enhanced performance – are too good to ignore. Who doesn’t need the flexibility to migrate, change and re-organise their IT world, as their business needs change? Is there any CIO out there not wanting to scale their IT costs according to volume and usage? Moreover, centralising the physical technology and improving efficiencies by outsourcing the maintenance and support just makes plain sense.

But organisations don’t just have to maintain security levels; they need to improve them. Simultaneously, they must increase access and transparency internally and externally. While business executives have long realised that access to required information everywhere enhances productivity, up until now, many organisations have had to choose between security and efficiency. The secret to unlocking the cloud, and getting both, is ensuring that business executives understand how their cloud is accessed and connected: in essence, who controls the ground beneath the cloud. Then, for the organisation as a whole, or within the divisions or applications being supported, they can select the cloud delivery platform that matches their security requirements.

About the author

Gareth Williamsbecame CEO of Interoute in August 2007. Prior to that he served as President Global Markets building the sales and marketing unit of Interoute across the 29 countries in which Interoute now operates. He joined Interoute to aid James Kinsella with the restructuring of the company in 2002 and has overseen the growth of Interoute from zero revenues Jan-03 to €272m in Dec-09. On taking over as CEO he has managed the transition of Interoute from loss making start-up to operationally profitable to now in 2010 a cash flow positive business.

Before joining Interoute Gareth held senior positions in the telecoms and IT services sector, ranging from high-tech start-up to major telco joint ventures. Gareth spent the first 13 years of his career in BT and was privileged to play a part in the globalisation of telecommunications. He has lived in the USA & Europe managing national, regional and global business units with operations in every continent of the world. He is married and has 4 children.

For further information please visit:

http://www.interoute.com/

 

[/ms-protect-content]

LEAVE A REPLY

Please enter your comment!
Please enter your name here