August 3, 2015 | Written by: John Campbell
Share this post:
One common theme I come across when working with clients is the need to achieve balance. The objective is to create new and innovative services that grow and enhance the business. Achieving that while also delivering availability, reliability and security is where the challenge becomes complex.
If you look across a hybrid cloud estate, which brings together traditional systems, public clouds, known and anonymous mobile users, the points of risk are wide and varied. It’s easy to inhibit a service, through disproportionate constraints, to the point where it becomes all but unusable. We’ll take a look at the security concerns associated with this challenge, and how to safely open the service to its maximum potential.
Hybrid and mobile have a varied set of threats associated with them. So let’s look at a few, starting with data locality. In essence, this is a question of Where is my data when it is in the cloud? Is it on my premises, in a public cloud data center, on a mobile device, or a mix of those?
Data partitioning, knowing what data you have, what can go out into the public domain and what crown jewels need to be kept secure is a core design concept for any hybrid implementation. The ease and value of a cloud, and its ability to rapidly spin up servers, and move virtual machines from place to place in itself becomes a data management worry in terms of meeting geolocation regulatory controls. Mix in mobile devices that are used either by known or anonymous users, corporate sources or BYOD, and you have an end user estate where control is possible in some places, but not practical in others.
Human nature also plays its part, and even with the best intentions, end users do not prioritize securing their mobile devices. This opens multiple potential access points to corporate data.
Hybrid also brings a particular problem, in that it brings together vendors and clients that will, by definition, have a differing view risk management. Differing policies, approaches, and regulatory adherence mean that a traditional centralized security policy no longer fits the bill.
The number of potential risks is seemingly endless, and the result is to easily conclude that this is too hard a problem to address. A more secure solution runs the risk of significantly reducing the business value that cloud’s flexibility offers.
Traditionally, a defense in depth approach has been taken to securing any system. IBM’s MobileFirst method, for example, provides a development capability that is fast, repeatable, secure, and standardized with a consistent user experience. It is easily integrated into the enterprise, which allows speed and creativity in the service being created, while building it on a solid foundation.
Move into the cloud data center, and this solid foundation continues to be strengthened. Good practice such as continual monitoring, encryption, data sanitization and ongoing penetration testing, hosted in physically secure locations, many in country, and independently accredited to ISO27001 level provides confidence that we value your data as much as you do.
But what makes this approach to security unique is the amount of transparency in the process. Open inspection demonstrates the ability to deliver the necessary security levels. Moreover, we work with you to build a level of security that is tailored to your needs and specifications so that the risk level is one you set rather than one that is imposed.
This layering approach should be transparent, through the staff that services your systems and to the way your service provider engages and works with you.