Christian Szell: Is it safe? Is it safe?
Babe: You’re talking to me?
Christian Szell: Is it safe?
Babe: Is what safe?
Christian Szell: Is it safe?
Babe: I don’t know what you mean. I can’t tell you something’s safe or not, unless I know specifically what you’re talking about.
I am reminded of this question when people say, “public clouds aren’t secure,” or more recently, “multi-tenant applications aren’t secure.” So, are they? Are they safe? Are they secure? Like Babe, I can’t tell you something’s safe or not, unless I know specifically what you’re talking about. Just like the word, “cloud computing,” we need a more sophisticated understanding of what the word “security” means.
Security is a complex topic. In this article we’re going to simplify security as follows: A business-application cloud service is secured if, and only if, it meets your definition in five key areas: hardening; identity and access management; auditing; testing; and compliance. By the way, all of these requirements apply to all of the technology underlying the application. So for those of you who are more analytical, draw a 5×5 matrix with the five pillars as your columns, and application, platform software, compute and storage, datacenter and network as your rows.
- Hardening. Any application cloud service (actually any application) depends on not only the integrity of the application itself, but also all the supporting software and hardware. So at the most basic level, you must make sure the latest security patches have been applied and there are no viruses, malware or unknown software in your storage management, operating systems, databases or middleware. If the application down to the network is not hardened, then all bets are off. What are your requirements?
- Identity and Access Management. The implementation of any security policy is dependent on knowing the identity of an individual. Once authenticated, access management is deciding what data or operations the individual can do. Just like the speakeasies during Prohibition, someone has to know who you are and then what rooms you can enter. Remember, your requirements for identity and access management start from the mobile device and extend through the application into the supporting software, hardware, datacenter and networks. By the way, increasingly there are operations management cloud services that provide solutions from small companies like Okta, to large companies like TrendMicro who introduced SecureCloud to protect access to data in storage cloud services when the current access management isn’t adequate.
- Auditing. A key principle in building secure systems is auditing. Auditing is the recording of all the changes that happen to the application and the underlying technology. Largely because any system built by people will have flaws, you want to be able to study the audit trail and perhaps identify the source. Intrusion-detection solutions from suppliers like HP and Raytheon use real time auditing to sound the alarm when a security fault occurs. Maybe one day, like the characters in the movie Minority Report, we’ll be able to discover a security fault before it happens, which brings us to security testing.
- Testing. There is a wide variety of tests that can be run to determine whether the security of the application and the underlying technology can be compromised. This class of operations management cloud services is available from a number of companies including McAfee, Perfecto, SecNap and WhiteHat. What security testing is required for each application in your portfolio?
- Compliance. As computing is becoming a part of all industries, there are increasingly sets of standards or rules, which are being applied. Two of the more well-known compliance standards are PCI DSS and HIPAA. PCI DSS provides highly specific guidance for the credit card industry as to a minimum required set of security controls. Under HIPAA, the federal government developed privacy principles and security guidelines for healthcare patients, healthcare organizations, and service providers. Which of these and the many others coming into existence are requirements for your application?
So, I hope you’ll realize the statements, “the public cloud is insecure,” or “multi-tenancy is not secure,” are very unsophisticated views of a complex topic. My hope is that when you purchase cloud services, you’ll have made your definition of security based on these five pillars so you’ll be able to determine, “It is safe?” “It is secure?”