Security remains the top concern for enterprises considering a move to cloud services. This issue has been aggravated in our post-Snowden world. While security must be an important priority, it requires a sense of proportion rather than a fear-based approach.
The press for tighter security coming from IT and regulators is very intense, but there must be space for a discussion of the cloud's business value and how it can help companies become more agile and insightful.
As members of the Cloud Strategy and Customer Co-Innovation team, we regularly meet customers and discuss expectations, opportunities, and concerns. Many roundtables, discussions, forums, and expert sessions with different organizations in many geographies -- as well as user group meetings -- helped to shape the thoughts in this blog.
Let's look into the 3 most important aspects of security.
1) Location Matters
Cloud conversations are dominated by one question: “How secure is the cloud?” This is a tip of the iceberg question that normally leads to questions around:
- Physical security and data location
- Network security
- Backup & recovery
- Confidentiality & integrity
- Data portability
However, according to the Verizon Data Breach Investigation Report (DBIR), 86% of all security breaches were accomplished by the use of stolen login credentials, making secure enforcement of employee authentication and scrutiny of single sign-on policies a must.
The location of the datacenter or centers where the cloud solutions and the customer data is stored and processed raises further discussions, as IT has to worry about where the data is located physically. The strictness of European regulations, and especially regulations in Germany (Germany’s Federal Data Protection Act, known as Bundesdatenschutzgesetz or BDSG, was reformed significantly in 2009 to cover a range of data protection-related issues), can help build trust when deciding on a geographical location for customer data.
And let's not forget, all of the above applies to on-premises as well as cloud solutions.
2) It is all about trust
With cloud computing, the perception of security changed fundamentally. It makes trust the top asset and brand value for any service provider. This is what drives us, as it should any other vendor in this area.
You need to handle data with the utmost discretion and strive to deliver services and support that allow business-critical processes to run securely.
You need to protect our customers against unauthorized data access and misuse, as well as confidential data disclosure, using various measures for employees, applications, organization, systems, and networks.
You can find more details in a presentation about cloud security here.
Cloud computing takes the burden of commodity tasks off the in-house IT staff and enables them to concentrate on value-add tasks. At the same time, cloud vendors concentrate on specific tasks and professionalize them to the maximum. This constant repetition and automation -- plus application of best practices learned through hundreds or thousands of engagements -- helps eliminate manual steps and sources of errors.
Data encryption for user devices using SSL is another good example. You need to control every level of the cloud-computing stack, from datacenter to database to middleware and the applications layer. In a good public cloud model, every layer of the stack goes through rigorous security audits and adheres to stringent security standards. We follow transparent security and auditing standards and adhere to the strictest data privacy standards.
3) Manage the militarized and a de-militarized zone on the Web
EU 95/46 EC, PCI-DSS, ISO 27002, BS7799, ASIO-4, FIPS Moderate, BS10012, SSAE-16/SOC2… This is just a partial list of the most important audit standards and certificates that apply to datacenters and IT services.
These are just a few examples of a long list. To answer all these challenge, your vendor should conduct a SSAE16-SOC2 Type II audit at least twice a year.
Your vendor should have achieved all of these certifications. In addition, its network architecture should be multi-tiered. In our case, end-user traffic is limited to the front Demilitarized Zone (DMZ) tier of Web servers only. Each single tier in the hosting environment is organized into a DMZ-like pattern. This allows a firewall or Virtual Local Area Network (VLAN) separation between each tier. Requests are validated individually before the next tier independent request is created.
Security is a serious concern for us (considering that we have 65,000 employees in 150 countries using our own cloud solutions), along with our customers and partners. Making security as simple as 1-2-3 is a top priority.
Looking forward to hear your thoughts and follow me on twitter @SDenecken to see this journey unfold.
If you want to see a good example, check here www.sapdatacenter.com