by Kate Milosevich

Concerns over cloud computing

Organisations hesitant about migrating

Cloud computing has some organisations nervous about information security.
cloud computing.jpg

Identity management, including roles and rights, end-point security and access control, is a cornerstone of any ICT security solution, but is particularly important when it comes to the cloud.

Thus applying stringent identity management, security and access control on a need-to-know basis is a vital foundation component of an end-to-end cloud security solution.

Secure communication into the cloud

With cloud services it is essential that data not be compromised when transferring between the user and the service provider. When data is sent over public networks such as the Internet, it must be encrypted to prevent access by unauthorised parties, to safeguard integrity and confidentiality.

Transparent contracting 

Cloud applications can be distributed across multiple data centres, and the availability, confidentiality and integrity of data exchanged by cloud services and distributed applications within the cloud must be protected at all times.

Data can also be moved from one data centre to another in order to create back-ups or improve resource utilisation.

IT systems in data centres

When deploying cloud solutions, additional security measures are required at the data centre.

Cloud computing is based on multiple clients sharing the same hardware and software, therefore, it is important to implement mechanisms to safeguard systems, applications and data.

This requires virtual segregation of users to ensure that they cannot access another user’s data and compromise the integrity of systems.

Data should also be isolated in dedicated network storage areas, similar to hard drives, which are accessed by the users’ servers via the network.

These should be connected in such a way as to ensure that customers can only access their own data, as though they had their own dedicated drive.

Protecting IT systems on the service provider side

To ensure the right level of security, mechanisms that protect systems, platforms and applications must be implemented at the data centre.

In addition, there needs to be a secure link between the IT components stored at the data centre and the connection to the outside world.

To ensure effective protection of the network segments, service providers need to employ two different types of firewall.

Firstly, they require firewalls that perform stateful inspections of communications, ports and applications.

Secondly, they need deep-inspection firewalls that can scan data transfer protocols for “good” and “malicious” queries.

Further key mechanisms include proxy servers and reverse proxies that filter and convert both incoming and outgoing data traffic, shield sensitive information, minimise vulnerabilities and help make ICT more secure.

Data centre security

Buildings and hardware assets at the data centre require physical security as well as technology security, including physical access control and intrusion detection.

Data centres must be constructed to enable the building to withstand natural hazards, potential physical sabotage and fire.

Data centre protection should also include alarms, fire detection, surveillance, vehicle monitoring and control, and extensive staff checks to prevent attacks from within.

Security management and secure administration

The human factor not only plays a pivotal role in the security of cloud services for users. It is also an extremely important issue for the service providers themselves.

For this reason, providers should operate a dedicated information security management system (ISMS) which defines processes and rules for the effective management of information security.

Cloud providers must also draw up rules that ensure employees meet security requirements and specify which users can access which systems and data and who is responsible for which operational and security-related tasks.

Service management and availability

Application downtime can be detrimental for business, particularly when mission critical systems are affected.

As a result, organisations using the cloud must be involved in the definition of appropriate service levels. Service providers need to safeguard availability by creating redundant systems and backups that allow for system recovery following downtime.

Contracts, process integration and migration

Requirements must be outlined and any necessary changes need to be implemented and monitored.

Organisational structures and processes must be in place to enable a rapid response to security incidents or threats.

Services must be clearly defined in a service level agreement and mission critical applications need to be identified to ensure the correct levels of availability and security. 

Security and vulnerability management

To avoid migration issues, any weaknesses or faults in infrastructure must be identified and addressed from the outset. This involves comprehensive testing and risk assessment. 

This begins with documentation and correct management of configuration data. The proactive management of vulnerabilities and other developments designed to offer visibility into and enhance security and eliminate breaches in advance are also critical.

Security reporting and incident management

Visibility into the degree of security achieved is critical for mitigation of business and legal risks with regard to the impact on IT-supported business operations and potential compliance breaches. Security reporting provides this visibility, offering insights into the effectiveness of the protection mechanisms in place.

Analysing this data enables measures to be modified, replaced or enhanced as required, leveraging the information available for proactive corporate risk management.

Requirements management and compliance

Users must comply with legal, regulatory and industry-specific requirements, including in-house policies, contracts with customers, suppliers and partners, and other obligations. 

In essence, organisations need to select cloud service providers carefully, in order to ensure services are delivered in a secure, compliant manner and that risks both internal and external can be minimised.

comments powered by Disqus


This edition

Issue 90


Opportunitymag With less than two months to go, the countdown has officially begun for the inaugural #Agri-Business and #Eco-Touri… 21 days - reply - retweet - favorite

Opportunitymag #PetroleumAgencySA is South Africa’s state-owned company established through a Ministerial Directive in 1999.… 4 months - reply - retweet - favorite