Since we published our last cloud article, there have been multiple high-profile data breaches, including a recent breach of hosting provider Melbourne IT. So we decided to ask the companies about their security technology and approach.
Carlo Minassian, CEO and founder of security vendor Earthwave, said that there are a number of security challenges that providers haven't yet addressed. Firstly, all data is treated equally without classification, which leaves customers vulnerable to a breach that they might not know about for months or years. Secondly, the staff members at the providers most likely haven't undergone police checks. Lastly, the focus is generally on data protection, rather than threat detection and response.
It's difficult to compare the security aspect of clouds, because there are so many features that you could call out as affecting security. The only generalisation you can make about security among the cloud providers we approached is that it's a very moveable feast. Some called attention to the physical security of their premises and facilities. Some were keen to push their network security, with protocols and policies that extend right through to the user. Many talked about the virtual security on their servers.
A common theme was dedicated Virtual Large Area Networks (VLANs). Even though you might share bandwidth with your providers' other customers, a VLAN puts you on a separate "channel" or broadcast domain from everyone else. As well as addressing network-management and scalability issues, it's good security practice (think of building a long, watertight dam down the middle of a river, keeping the flow separate from the source until it reaches you).
If you ask your cloud provider about their onboard security solutions in both hardware and software, you'll hear an array of product names, all as dizzying as those that exist in the consumer sector, like VG, BitDefender, Norton, and so on. You can try to investigate the merits of vCloud Director, vShield, Juniper EX switches, and SRX firewalls, but perhaps even more important when it comes to cloud security is response.
The practices that you and the provider can employ to stay secure are varied. You can have them close data ports (80 for the web, 24 for FTP, etc) by default that only you can enable depending on the data that you will be working with. You can also define lists of security level access for you, your staff, and those at the cloud provider itself. At the most basic level, it might just mean a security watch that notifies you 24-7 if there's a problem on your server.
The security features might all be a blur when choosing a provider, but here's a trick: learn about just one or two that your cloud provider has, and quiz your contact about them relentlessly. It'll soon separate those that take security seriously from those that just wanted the tick of approval because it looks good in the marketing documents.
Security's also about more than protection. A targeted attack can and will get around firewalls and other "blanket" solutions if the bad guys are persistent, clever, or resourced enough. In the new world of threats, where it's about profit rather than bragging rights, they won't want you to know they're in your data, because they want time to do the largest amount of damage possible. If they get around your cloud server's protective measures, ask them how soon you'll find out before there's irreparable damage to your reputation or bottom line.