For OpSource-not to mention Amazon Web Services (AWS), Rackspace, Terremark and others-the answer is a layer 2 virtual LAN. In OpSource's case, customers connect to the cloud using VPN clients or site-to-site VPN terminations. This makes the public cloud an extension of the private cloud, making it a secure, hybrid cloud.
For the National Highway Traffic Safety Administration, which in 2009 had 30 days to set up and test the infrastructure for President Barack Obama's Consumer Assistance to Recycle and Save (CARS) Act, the answer was the CloudSpan CloudConnect Gateway from Layer 7 Technologies. This service let the NHTSA put its servers in the public cloud and add appropriate security controls. As a result, the program known as cash for clunkers was able to process claims and award rebates to more than 690,000 Americans who traded in old automobiles for newer, cleaner and safer ones.
VPN-enabled public clouds and additional security layers such as CloudSpan are only two of the many ways to address public cloud security concerns. Each option comes with its own pluses and minuses, with cost, complexity and performance and latency overheads among the drawbacks.
Organizations can optimize their approach to public cloud security be deciding how mission critical an application is, as well as how secure the data for that application need to be. Here are 10 more ways to strengthen public cloud security to support enterprise use.
1. Select the Right Apps for the Public Cloud.
Some businesses, including most start-up companies, begin by using the public cloud for all applications, including mission-critical apps and their data. Palo Alto, Calif.-based Pinterest, the fast-growing social media sites with 150 AWS instances and more than 400 TB of data at last count, is one such start-up with all applications on the public cloud.
However, public clouds are not for every organization. Within an organization, they're not for every application, either. Generally speaking, the enterprise applications suitable for the public cloud aren't subject to stringent security requirements. In these cases-such as Websites, application development, testing, online product catalogs and product documentation- the default security provided by most cloud service providers (CSPs) will be more than adequate for these kinds of applications.
2. Evaluate and Add Security, If Necessary.
CSPs provide significantly different levels of public cloud security. Pay attention to this while evaluating CSPs. The ISO/IEC 27000 series of standards provides guidelines for systematically examining information security risks, taking into account the threats, vulnerabilities and impacts, for designing and implementing a comprehensive suite of information security controls, and for adopting management processes to ensure that guidelines are followed.
Organizations considering moving sensitive applications and data to the public cloud may need to evaluate and compare different CSPs based on these standards. If necessary, security measures that are used in an organization's internal private cloud may need to be extended to their public cloud instances. As noted, products such as CloudSpan let an organization enforce the same standard of information and application security policies on private and public instances alike.
Sign up for CIO Asia eNewsletters.