One of the biggest stumbling blocks when it comes to cloud services, either public or private, is security. So what should you look out for when choosing a cloud service provider?
Databarracks’ Head of R&D, Radek Dymacz, gives his advice:
Service providers and customers have different definitions of what “the cloud” is. As a result, you see a lot of offerings in the marketplace that would have been described as “hosting” a few years ago but are now termed “cloud services”. Quite often, these older services won’t have the same security features built in to their cloud infrastructure.
There’s also a tendency to think of cloud computing as being some abstract service existing in the ether. It isn’t. These services are hosted on actual servers in real data centres. Even if you’ve made sure your cloud infrastructure is correctly isolated and secure, it will still be vulnerable if the hosting site is unsafe. If someone can break into the data centre and steal your hardware, as happened to Vodafone, then your data and even your whole operation is at risk. Several hundred thousand customers were affected after thieves stole equipment from one of the telecom giant’s data centres in Basingstoke last year. So make sure your cloud provider’s data centre has robust physical protection and the strictest protocol when it comes to access.
But while many IT managers think their data will be better off kept in-house in their own server room, a good cloud service provider should be able to improve security practices – after all you are buying into their resources and best practices.
Public cloud security is usually self-service and straightforward. Public cloud vendors are generally larger and quite transparent about security. With the public cloud, you can spin up a server very quickly, but it is also your responsibility to secure and protect it, which includes having a backup of your server should something go wrong.
In the case of virtual private cloud infrastructure, the service provider will generally take on responsibility for security in areas like backup or managing firewalls. But you need to be clear about what’s included in the service provider’s scope and what’s left to you, the customer, to manage.
Virtual private clouds should conceptually be more secure but there are more private cloud service providers and so more ways to architect a private cloud. The greater range of options leaves an increased chance of security problems.
If opting for a virtual private cloud through a service provider or IaaS, investigate the network and OS level security measures in place. You may also want additional security features which don’t necessarily come as standard in cloud services. For example, 2-factor authentication isn’t a universal feature, but will improve access security.
Like the public cloud, virtual private cloud services are based on using a shared, multi-tenanted platform. Therefore, the important questions to ask your service provider should be focussed on network security: how is the environment setup to allow for network isolation? What underlying technology has the service provider built their cloud services on?
Established technologies, such as VMware’s vCloud have network security technologies built in. vShield for instance is designed specifically with cloud service providers in mind. There are lots of new products on the market so you need ensure your service provider is using proven technology and that it’s included as part of the service.
Additionally, check what provisions are in place to prevent brute force attacks on the network. This can be as simple as automatically denying access if a password is entered incorrectly more than a pre-set number of times.
Keeping your data private doesn’t just mean thwarting threats from hackers – it can just as easily be preventing access to your data from any other parties. The most high-profile example of this would be the USA Patriot Act. Quite simply, if your data is hosted in the US or by a US-owned company, it falls under the jurisdiction of the USA Patriot Act. The US government can demand to see your data and the service provider will be forced to hand it over. So question how sensitive your data is before storing it with a US provider and make sure your contract is super tight.
As standard, data in transit should be encrypted but for most cloud services, data at rest won’t be. If your information is very sensitive, you may want to include encryption of data at rest in the cloud. However, be aware that it will have an impact on performance.
As standard, data in transit should be encrypted but for most cloud services, data at rest won’t be.
There are other standards to look out for when it comes to selecting a service provider. ISO 9001 is a BSi assessed certification which indicates that a company is well managed, while ISO 27001 is the globally recognised benchmark for Information security.
Above all, you need to have a solid service level agreement which not only guarantees levels of physical and digital security, but also gives a clear indication of which areas are the responsibility of the provider and which are accountable to the customer.
Radek Dymacz is Head of R&D for Databarracks, a provider of cloud hosting, virtualisation and managed backup services. Radek studied computer science in Poland and joined Databarracks as an Open Source and Linux/Unix specialist 5 years ago. He has since progressed to become Head of R&D and is responsible for keeping Databarracks ahead of the competition when it comes to technology adoption. His other areas of expertise include cloud security, Object Storage and Enterprise Storage. In his spare time, Radek enjoys composing music and playing guitar.
Databarracks provides secure cloud infrastructure, backup and disaster recovery services from UK data centres hosted at The Bunker.