‘Good Enough’ Protection in the Cloud
There is a lot of fear out there when it comes to dealing with the cloud, especially with so much hype surrounding the technology. However, what you do, and do not, commit to the public cloud is entirely your call.
To misquote George Orwell’s classic, ‘Animal Farm’: ‘All clouds are equal – but some are more equal than others’. The other key thing to remember is that not everything is for the cloud, so it’s a matter of each to its rightful place.
Information highly sensitive? Then use private clouds, so that you benefit from scalability and flexibility internally, without exposing your data to the Internet. Consider which are your crown jewels of information and what protection you have around these. Is it good enough? Should those defences be more robust?
The starting point is to look carefully at each workload when deciding which kind of cloud your data should be in. The relative merits of issues such as availability, security – and the likely costs involved – are all factors that will help you pinpoint exactly what you are happy to send into public clouds and what you are not. You also need to know/find out what policies the cloud provider puts on your information. For example, do they encrypt your data? What security controls do they have in place? Do they delete your data when you no longer want it in the public domain?
Once you are satisfied on all of these issues, you should apply appropriate protection mechanisms, based upon what the information is that you are making public and what levels of protection you therefore require. When it comes to developing a solid strategy, it’s important you define information management policies, based on data classification, and assess its suitability for migration to the cloud. Here are some pointers:
For Private Clouds:
- Create a ‘Class of Service’ model, with defined information availability and protection characteristics, underpinned by appropriate technical capabilities.
For Public Clouds:
- Ensure you know how data is stored, protected, recovered, discovered and destroyed by your provider
- Know what level of controls and protection the provider puts on data – you won't know the technology
- Encrypt all data wherever possible – in motion and at rest
- Use controls to ensure only permitted data is moved to the cloud.
Some final words of advice: ‘Don’t not do it, but don’t do it blindly.’ Remember, you can move a lot of things to the cloud, but responsibility for protecting your organisation’s data isn’t one of them.
Effective information security is the key to enabling the trust and confidence that will make your cloud model successful.
Would you agree? What are your thoughts on this? We’re keen to get your feedback, so do let us know.