When a family with a baby buys a new car, they don't buy a car seat from the vehicle manufacturer: There is specialized equipment to handle the family's most sensitive asset. John Pescatore, a Gartner vice president and security analyst, says cloud security can be thought of in a similar way: Users shouldn't rely on their cloud service provider's security features to protect their most critical data.
Sensitive information that needs to be protected -- customer data, mission critical applications, production-grade information -- in many cases needs its own security controls to be fully protected. "As you move out to cloud-based models, there are some things you can trust your cloud provider with, but for critical business data and regulation-controlled information, very rarely is the infrastructure going to be enough," Pescatore said during a webinar sponsored by Gartner this week.
AS YOU LIKE IT: Customizable cloud SLAs on the way, researchers predict
MORE CLOUD: 5 desktops in the cloud
Security remains a top concern for companies looking to deploy a cloud strategy, but Pescatore says there are ways to alleviate the fears. One key, he says, is to have security provisions that are designed to specifically protect cloud applications, data or workloads. A prime example is credit card information. Payment Card Industry (PCI) certification requires that any customer credit card data that is stored electronically be encrypted. Some cloud service providers will offer encryption services within their cloud-based storage offering. But, there are a range of third-party applications that customers can buy to provide encryption services, distributed denial-of-service (DDoS) protection, and access control measures that are tailored specifically for cloud deployments. Many of these are delivered in a cloud format.
There are a variety of cloud security products on the market for numerous functions. Providers such as Zscaler, Websense or ScanSafe from Cisco are "gateway" products that sit between the user and the cloud provider to monitor what data is being put into the cloud and to make sure malicious data or applications don't penetrate into the user's system. If the cloud is being used to host a website, there are website protection services, such as Imperva, CloudFlare and even some from Akamai in this area, for example.
Overall though, Pescatore says cloud security starts at a basic level. Most enterprises begin their journey to the cloud with a private, internal cloud, and that's a good place to start with security controls, too. "Get security right in the private cloud first, then extent it into the hybrid and public," he suggested. Having processes in place to protecting virtualized environments from outside attacks is important, he says. "Get visibility into the system, the change controls and the vulnerabilities," he says. This includes securing the orchestration of the architecture and the provisioning of new accounts, domains and virtual machines.
Sign up for CIO Asia eNewsletters.