Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Hybrid Cloud Computing Security: Real Life Tales

Bob Violino | March 5, 2011
Mixed IT infrastructures, including cloud and non-cloud systems, will be the norm at many companies for many years. Learn about key cloud security concerns and solutions from three early cloud users.

Rawlings is currently evaluating cloud services from vendors such as Microsoft (MSFT), Rackspace and IBM (IBM) to help handle its fast-growing data-processing demands. But the company's processing needs--it has several hundred terabytes of data in-house--render those services too costly under their current monthly pricing structure, Landgrave says.

"So far it's much more expensive to use the cloud for the size of data sets we're talking about," he says. "It quickly becomes cost-prohibitive."

Cloud Security, Compliance and Integration

Once companies have made the decision to deploy cloud services--or even before they've made the decision--they need to ensure that adequate security is in place to safeguard information in the cloud."Security is by far the biggest concern and can be something that's addressed at all levels," Garvin says.

"For example, software developers can learn techniques to employ when creating applications to eliminate some security threats such as SQL injection, while other security safeguards can be implemented in the hardware. Our thought is that the most robust security is going to have to come at the hardware level, as it will always be possible to hack code in the cloud."

Garvin says one of the most impressive hardware solutions is Intel's (INTC) Trusted Execution Technology, which provides processor-level extensions to create many separate execution environments, known as partitions. This is useful in cloud security, she says. "It also provides for secure key generation and storage, and it checks the BIOS upon execution to detect tampering," she says.

IBM has also been doing something similar with chipsets used in embedded systems and mobile devices as part of its Smarter Planet drive, Garvin says, and these could help with cloud client security. "Built-in capabilities in chipsets provide for hardware storage of security-related data like keys, certificates, data and checksums, and also provide some assistance in encryption and decryption," she says.

Silva says it's especially important that companies evaluate the level of visibility, controls and security in place at the cloud provider. "The biggest threat is [not] understanding the risk profile the provider brings to the table," he says.

Part of the vendor evaluation should be exploring its infrastructure, which could be dedicated or shared among other customers, Silva says. If it's shared, what's the risk of other customers taking actions that could put your information or privacy in jeopardy? Companies using cloud services should evaluate the provider's risk profile on an ongoing basis, he says, not just at the outset.

Building strong security can also include writing security requirements into contracts with cloud-service providers and following up to make sure these requirements are being met. To thoroughly evaluate its external cloud vendor's security posture, Rawlings pored over documents to make sure the provider had the proper controls in place and was monitoring them.

 

Previous Page  1  2  3  4  5  6  Next Page 

Sign up for CIO Asia eNewsletters.