Skip Links

Building a fortress in the cloud for your critical data

By Jose Albino, director of operations and compliance, Hughes Cloud Services, special to Network World
November 26, 2012 11:55 AM ET

Network World - Businesses are in the crosshairs as military and spy organizations around the world step up their cyber-snooping techniques, and the shift to cloud is only exacerbating the risks. How can you be sure your cloud partner is capable of protecting your data from cyberattacks?

Most cloud providers agree that security is the paramount, but in reality many do not possess the fundamentals to protect your data. Just because a cloud provider has performed a baseline security assessment does not mean the vendor is truly capable of protecting your data.

ROUNDUP: The worst data breach incidents of 2012

By asking the following questions of potential cloud providers, organizations looking to move some or all of their enterprise data and applications to the cloud can eliminate about half of the cloud vendors and find comfort in knowing their selected partner will be well-equipped to protect their information.

1. What encryption methods will be employed for my data?

Asking what encryption methods are employed is essential in defining the level of security or protection used. To fully protect data, it needs to be encrypted at rest and in transit.

There are built-in capabilities within the traditional databases that take advantage of Transparent Data Encryption (TDE) functionality. TDE is a technology employed by both Microsoft and Oracle to encrypt database content, offering encryption at a column, table and tablespace level. TDE solves the problem of protecting data at rest, encrypting databases both on the hard drive and consequently on backup media. Enterprises typically employ TDE to solve compliance issues such as PCI DSS. Encryption can also be applied via third-party software.

If encryption is applied, you need to ask what functionality is used. Determine if it is inherent capability or third-party software. Ask if they are using a specific PKI strategy and whether they are using data loss prevention (DLP) tools. All of the answers to these questions define how your data is protected and the "security maturity level" of your potential cloud provider.

Another element of this question is organization-specific. Based on what industry you are in, there will be some minimum requirements in place that will tell you whether or not you can store your information in a cloud provider's facility. Government organizations, for example, require that data is protected by token-based encryption. If your potential partner cannot come up with that answer, then you will not be moving into that facility.

2. What compliance regulations do you subscribe to?

Given your organization, there may be specific compliance regulations for housing and managing your data. By choosing a cloud provider that already adheres to PCI security standards for credit card transactions or to HIPPA for storing medical records, for example, you are able to ensure that, without question, auditors will find this data to be properly secured.

To be certain you are meeting these regulations, you should be able to request to test these security standards. Any trustworthy cloud provider will gladly allow you set up a vulnerability test on the facility to prove they meet your compliance needs.

Our Commenting Policies
Cloud computing disrupts the vendor landscape

 

Latest News
rssRss Feed
View more Latest News