March 3, 2013 | Written by: Turgut Aslan
Share this post:
Cloud is everywhere, and it is penetrating our lives and the industry more and more, even if it is not physically visible to us. This fact may contribute to one of the major concerns about cloud: IT security and privacy. News about breaches into server systems, leaks in social media networks, industrial espionage in well-established industries and other security incidents increase the fear that such things can happen to yourself or your company.
More than fifteen years ago, when IT security started to become a concern and firewall technology become popular, a company creating firewall technology got a “splendid” idea. They recognized that selling a piece of firewall software alone did not bring expected earnings. When they started to buy low-end computers that satisfied the minimum requirements to run their firewall software and painted the boxes a fiery red, their product sold splendidly. The customer CEO was not only able to tell that they have a firewall enabled, but also point to the red box and feel more comfortable because he or she had a dedicated physical box.
So when we talk about infrastructure as a service (IaaS) as an abstract cloud service, the customer wants to know how security on cloud compares to the traditional IT environment with firewalls, routers, switches and servers running on dedicated hardware. The answer is: it depends!
How is traditional IT infrastructure secured?
Take the traditional in-house IT infrastructure of a medium-sized company as an example. This infrastructure may be protected by any of the following:
• Physical means
• Network separation
• Appropriate user ID and password management
• Security patch management
• Harmful code software
• Vulnerability scanning
• System security checking
• Encryption of sensitive data and network traffic
• Intrusion detection and prevention systems
• Unauthorized activity monitoring
• Logging and alerting
• Employee IT security awareness education
Applying a robust security policy, industry best practices and leading edge security tools will contribute to confidence in a high level of IT security. Additionally, this company may seek and receive certifications like the ISO27002 standard. Traditional IT environments can be made very secure depending on how much effort and money you want to spend!
Cloud uses the same approach to security
The same IT security policies, standards and best practices can be applied in the cloud as well! When you think of a cloud offering as an evolution of the traditional IT infrastructure and virtualization of components previously running on dedicated hardware, certain things change for sure. The provisioning or deletion of a standard virtual server happens much faster than doing the same on dedicated hardware, for example. But certain things remain, like your company’s security policy.
The question is regarding how you use the virtual server: Do you want to process sensitive data or business critical processes on it? You can! You have to ask the same IT security, privacy and regulatory questions you would ask in the traditional IT environment. You may have to ask additional questions, such as how to prohibit the possibility of an unauthorized deletion of virtual instances or how to ensure that sensitive data from various sources is encrypted and not being mixed with each other.
Experienced IBMers enable cloud security
Cloud computing can be made, at minimum, as secure as the traditional IT environments. But the IT security gain is not done by painting firewall boxes in bright red, but by enabling the right level of IT security policies in the cloud infrastructure and the provisioned virtual machines (VMs). IBMers work as security architects, security specialists, developers, testers and auditors to make the cloud even more secure than the traditional IT. They’ve run their own and customers’ traditional IT environments for decades and are best positioned to bring their security experience into the cloud—and they do it continuously. In the end, it’s the customer who decides on the level of IT security in the cloud or the traditional IT environment they want to afford based on the risk assessment made.
Cloud is real and you can touch it! Some misconceptions sometimes make us believe that it is less secure than traditional IT. Have you asked your cloud provider about the IT security policy they have implemented in their offerings? Please leave your comments below or find me on LinkedIn.