When you start thinking about using a Cloud Service provider to host your business applications one of the key points to consider is the level of security provided. It is also critical to understand that public Cloud Service providers are not responsible for security at the Virtual Host level and nor are they responsible for the way customers choose to configure various network access controls.
Tier 1 Cloud Service providers do provide very high levels of Physical and Network security controls but it is up to the Cloud Service Integrator to ensure that Virtual Host security and network access controls are configured appropriately.
To help you understand what to look for here are some critical areas of security you need to have in place to mitigate as much risk as possible.
At a minimum your datacenter should be highly resistant to this set of physical security threats;
- Environmental - flood, fire, power and cooling interruptions.
- Access Control - grant physical access only under tightly controlled conditions, including strict two factor authentication processes and tiered security zones.
- Site Monitoring - 24 x 7 site monitoring using CCTV and access control monitors.
- Data Loss - storage (hard drives) that are end of life should be physically destroyed to prevent unauthorised data recovery.
As with all other levels of security controls network security should be designed around the principle of Defence in Depth, which essentially means multiple redundant layers of security are applied to protect vulnerabilities from a wide variety of attack vectors.
In particular the following set of systems and controls need to be applied;
- Routers deploying network traffic filtering rules
- Firewalls that use packet filtering with stateful inspection
- Network segmentation and isolation
- Defence against distributed denial of service (DDoS) attacks
- Traffic encryption and secure network tunnels
Virtual Host Level Security
The Virtual Host can be considered to be the Customers server that hosts the Customers application. The Virtual Host will often be based on a Windows server or Linux operating system. The security applied to the Virtual Host is really the responsibility of the Cloud Service Integrator and to some extent the Customer. When the Virtual Host is initially built for the Customer, a machine image is used that contains an up to date patch set. The initial provisioning of this machine image is essentially the last point that the Cloud Service provider will be responsible for Virtual Host security.
It is important that your Cloud Services Integrator is able to provide these set of security and data integrity controls to protect your Virtual Host (i.e. Windows or Linux) servers.
- Automated application of software patches
- Appropriate Access Controls
- File level security controls
- Encryption of data at rest
- Network traffic encryption
- Authorised application controls (software restriction policies)
- Audit trails
- Backup and Disaster Recovery
While this is not intended to be an exhaustive list of security mechanisms that need to be applied to your Cloud hosted business systems, it does provide a guide to what a business should have in place to protect critical business IT systems.
For further background information on Cloud Security provided by Tier 1 Cloud Service providers follow the links below.
Links for further information
Tech Journalist, Rupert Goodwins discusses Cloud Security.
Dr. Paul Miller from cloudofdata.com talks about Security in the Cloud.
Pete Boden, Online Services Security and Compliance General Manager for Microsoft provides a brief overview of Microsoft Cloud Infrastructure security and compliance.