Focus: Data security in a hybrid cloud

The move towards hybrid cloud working – the combination of using public and private clouds to complete processes and store and manage data – is now becoming widespread in organisations.

ChannelBiz considers what companies have to do to make sure they meet the demands of cloud data protection in their hybrid clouds.

Concerns around the security of the cloud are seen as a barrier to cloud adoption. But there are several steps organisations can take to safely gain the cost and business advantages of hybrid cloud working, without having to compromise the security of applications.

Many well established security technologies and processes can be applied to hybrid cloud computing deployments to deliver enterprise-class security. And in many cases a hybrid cloud provider can achieve better security in a virtualised environment than internal enterprise IT teams.

Reducing the risks

When reducing the risks of moving data or applications over to hybrid clouds firms can not usually rely on a “one size fits all” scenario. Not all risk scenarios are the same. For instance, some critical applications might be too important to move to a cloud service provider from an internally-hosted data platform, or extensive security controls might be deemed as “over the top” for relatively low value data being moved to a public cloud storage platform.

When it comes to hybrid cloud security, firms should take the approach they should always take on security, and that’s a risk-based approach. They should select the right security options for their individual cloud service.

Identifying a strategy

To decide on the security needed for cloud roll-outs, organisations must first identify the assets they are actually moving to the cloud, which can normally be put in either of two areas: data or applications/processes.

Firms should also take account of the fact that whole processes do not necessarily have to move into the cloud. For instance, companies can host an application and the data in their own data centre, while still migrating a chunk of its functionality into the cloud through a platform-as-a-service arrangement.

The next step is to evaluate the importance of the data or process to the organisation that is being moved. Essentially, when considering moving assets from the organisation to an outside cloud provider, firms should consider the same things they look at when considering an outsourcing contract.

For instance, what would the damage be if the data wrongly became publicly available, and what would be the business effect of downtime from the unavailability of data?

Know your hybrid data flows

In addition, firms may also need to map out a data flow relating to the cloud deployment service under consideration. They should consider the data flow between their organisation, the cloud service provider, and any customers, partners or other cloud connections. Such a data flow will show how data can move in and out of the cloud, illustrating the security requirements.

After going through this process organisations should be clearer about what they are moving into the cloud, their risk tolerance, and which type of cloud provision suits them. With all this information at hand, organisations can then decide on the best security protocols and security systems to be put in place.

As well as security hardware and software options, security systems and foresight may also include on-site inspections of cloud providers, data encryption schemes, audit and data retention policies, and reassurances sought from the cloud provider that their service can meet the specific industry compliance demands of the customer.

But above all, key to a successful cloud computing security plan is the involvement and support of the plan across the organisation. Security departments can be tempted to build out vast arrays of policies that are difficult to implement across the organisation.

Prioritising policies and ensuring that they are not in conflict with other policies from different departments is essential for establishing support and acceptance of cloud security policies.

Cloud Security Alliance

The Cloud Security Alliance (CSA) helps to re-assure organisations that the cloud systems they are using come up to the mark.

The CSA is backed by the likes of HP, Google, Verizon, Intel, McAfee and Microsoft, and sees major cloud providers submit reports to a registry of cloud security controls. The CSA Security, Trust and Assurance Registry (STAR) is a free and publicly accessible registry that documents the security controls provided by various cloud computing offerings.

Consumers of cloud services should therefore consider STAR reports as part of their hybrid cloud procurement process.

In a rapidly changing cloud market, meeting security needs can appear challenging, but with careful planning and outside support where necessary, the obstacles can be overcome.

@AntonySavvas