It’s true: Moving operations to a public cloud requires organizations to become comfortable with letting go of complete control of their data. While handing over control of organizational data to a third party inevitably creates a vulnerability, data stored in the cloud isn’t inherently less secure than non-cloud data.
We reached out to Kurt Roemer, Citrix Systems’ chief security strategist, to get a better understanding of how companies can secure their data in cloud environments that they own or don’t own.
ROEMER: Security in the cloud can actually be stronger than traditional data center security — especially with a cloud provider that details their security measures with full transparency. Many organizations and departments that can’t afford all required physical protections, layered security technologies and rigorous administrative processes for separation of duties — just to name a few — will find a much improved security experience in the cloud.
Even within traditional data centers, line-of-business departments that have not owned all of the security assets and processes have trusted the IT department with their security for years — even outsourced IT. The cloud simply abstracts the data center further, but it must be professionally managed to a defensible level of security, compliance and privacy.
An organization should ensure that required security processes and technology are available to protect sensitive data before engaging with a cloud provider and throughout the term of contract. Carefully read the terms of service, including all changes during the relationship.
ROEMER: The hybrid cloud leverages both organizationally owned and managed data center assets — private cloud — along with pubic-cloud technologies. By architecting for a model that enables applications and data to be secured in both private and public clouds, sensitive data is protected wherever it resides. Of course, the connection points between the public and private clouds, including networking, directory services and policies, must be specified and automated to ensure that security requirements are met.
Hybrid-cloud technologies are increasingly being used for processing sensitive data; for instance, for cloudbursting by retailers during peak holiday times and for exchange of protected healthcare data by healthcare institutions.
ROEMER: The most common mistake is IT assuming that the cloud can be managed like a traditional data center — which forces the IT department to consider only private clouds. While not every sensitive workload is ready for deployment in a public cloud, there are many applications, including those that process confidential data, that can benefit from the security, agility and cost-effectiveness of cloud computing. IT departments need to work closely with lines of business to understand business objectives first and apply appropriate IT disciplines second.
ROEMER: Consumer-grade cloud services for file transfers, storage and backup have been a real boon to productivity and data availability for personal usage. The problem is in using these consumer-grade cloud services for sensitive data, which can place an individual and their organization in violation of contracts, regulations and laws. The IT department needs to have enterprise-grade solutions available that match or exceed the functionality of consumer-grade cloud services and also provide for enterprise security. Users want to do the right thing, and if IT adopts a “How can we securely do this?” approach instead of a “How can we shut this down?” approach, greater security and productivity will be achieved.
ROEMER: Unfortunately, cloud computing suffers from many of the security scourges we’ve been dealing with in traditional IT. Bad passwords, account sharing and lack of encryption are but a few of the more common issues that can continue into the cloud. Fortunately, there’s a silver lining — with the cloud being a new environment, support for outdated legacy security technologies is not a design goal as it all too often is in traditional IT.
A newly architected cloud application can consider multitenant administration, delegated responsibilities, distributed lifecycle management and security automation to enforce security from the user experience to data management. The automation of security as clouds are provisioned and managed throughout the lifecycle can greatly reduce the vulnerabilities that would otherwise enable attackers.