5 ways cloud security is like data center security and 5 ways it's not
One of the major misconceptions in comparing cloud security and data center security is that they somehow exist as separate entities. In fact, your data center and operations in the cloud, whatever they may be, are inexorably linked.
The reason is simple: The data and applications that exist in the cloud are necessarily part of what’s in your data center, and your data center exists as the primary interface to the cloud.
Any division between your data center and the cloud exists primarily in the context of data storage: what data is kept locally, and what data is stored primarily at a remote location. Exactly what data that is depends on how your organization chooses to manage data. For example, some organizations keep some data within their local data center (for performance reasons or security), while others won’t even consider that. Likewise, your organization may choose to keep data and applications in the cloud to keep costs under control, or to make sure there’s one data repository for all corporate data. However, you may also choose to place data in a remote location because it’s more secure than your own data center.
Security is a necessity whether your data or applications are held locally or in the cloud. But while some aspects of security are the same whether your data is in the cloud versus held in your own network, you need to be cognizant of the important differences between the two that can impact how and if you use the cloud.
Why data center security matters to the cloud
You still need to maintain a secure data center even if you keep a substantial portion of your organization’s data in the cloud. The data that resides in the cloud either came through your data center originally, and is being retrieved to your data center so that you can use it, or it’s accessible from your data center.
Equally important, your data center is effectively the gateway to your data in the cloud. When your employees use your organization’s data to do their jobs, they use your data center to get that data. For example, employees may use applications that run on their own workstations or in your data center, but in either case, their requests for data go through your data center, even if it’s only to get to the cloud.
In addition, your data center is an important layer of defense. That’s most obvious in terms of managing endpoint security. It’s also important in ensuring that only authorized users can get to applications that access your data, and that they do so for authorized purposes.
Exactly how your data center interacts with your cloud service depends to a considerable extent on how your organization uses the cloud. For example, if you’re using the cloud as infrastructure (it’s simply providing remote facilities for jobs such as storage), then you have a different set of security requirements than you do if you’re using software as a service. If the cloud is just infrastructure, then you’re still responsible for most of the security picture, and it’s up to you to maintain the applications, updates, and the like. However, if you’re using a SaaS approach to the cloud, then the provider is responsible for part of the security picture, including software maintenance and updates.
The five ways security is the same
You still need to maintain a secure data center. Even if much of your data is located elsewhere, your local servers still contain data that must be protected.
Your data center is the gateway to the cloud. In addition to holding critical data, your data center is the primary means of access to your data in the cloud.
Critical software resides in your data center. The applications you need to access data in the cloud are likely in your data center. Access to those applications also provides access to your data one way or another.
Access to your data center is also access to the cloud. Whatever your IT strategy, you need to maintain security in endpoints, user access, and physical security. There’s more to securing your data than preventing malware and blocking hackers. The physical security of your data center is central to protecting the integrity of your data, regardless of where it is.
The integrity and availability of your data are critical security factors. While you need to protect your data from loss, you also need to protect access to your data so you can use it, regardless of where it’s located. You still need to manage the data in the data center, along with servers, server instances, and infrastructure. There’s a lot more than just data in your data center, including servers, virtual machines, infrastructure equipment, and appliances. Because of this, your data center is still a primary location of critical information that needs to be protected.
Why security for the cloud is different
All that may sound as though there’s no reason to approach cloud security differently than you do the security of your data center. However, it’s critical to keep in mind some important distinctions as you plan your IT and security strategy.
Most obviously, your data (and in some cases your applications) are located at a site that’s outside of your data center and thus outside your direct physical control. The site isn’t operated by your company, the staff isn’t yours, and you don’t have direct access to the data center that is responsible for protecting your critical information.
That may make you nervous about the seeming risk of keeping your critical data in someone else’s hands. The fact is that your data may be safer than it would be if you kept it in your own data center. This is because your cloud provider’s staff really has only one job: to protect your data. The provider’s staff isn’t involved with supporting your company’s workstations or the physical security of your data center or offices, and those people are not subject to the political and personnel tug of war that happens inside most companies.
One result is that a cloud provider’s staff usually is skilled in managing the cloud environment, and they have the time and training to handle your backups and software upgrades. This in turn means that you may not have to train your staff in the highly technical requirements of running a major secure data center. That makes hiring easier, and it makes staff retention dramatically easier. Your company also saves money on staff because there’s less of a need to pay the salaries of people with those ever-shifting skills.
Geographical diversity is a significant benefit of keeping data in the cloud. Because your cloud provider isn’t located where you are, you can avoid the likelihood of a single event taking out both your data center and your critical data. If you choose well, your cloud provider will have geographically diverse data centers, so your data is preserved in more than one place. That’s a win for the business continuity planning element of IT security. With the data off premises, a single event can’t cause you to lose business-critical data—whether it’s a broken pipe in your machine room or a hurricane, it can’t hit everywhere. In addition, if you make provisions in advance, you can also use this cloud-based data as a way to recover from such an event, even if it damages your offices.
Such diversity has other security benefits. For example, it’s more difficult for a denial-of-service attack to completely shut down your operations. While such attacks can make your life more difficult, they are harder to pull off when you have multiple locations for your data, in turn giving you the possibility of multiple paths for access. It’s also easier to incorporate a cloud-based denial-of-service mitigation solution.
While your data in the cloud may be more secure than in your data center, a move to the cloud does bring some new security concerns. The single biggest concern is the security of the communications link between your data center and the cloud data center where your data and applications are stored. Similarly, you need to be concerned about the communications security between your cloud provider’s diverse data centers.
You also need to take into account the potential communications security issue involving your employees and customers. Many SaaS (software as a service) applications allow end users to access cloud information directly, meaning they don’t need to go through the company’s own data center and its related security and authentication processes.
Fortunately, some of these applications, such as Salesforce.com, include significant levels of access security and internal security, and your organization can set its own security requirements. However, not every SaaS provider takes such steps, which means that your organization needs to validate any potential provider’s security before you permit your data to be available on such a site and allow your employees to use such a site.
Finally, there’s the matter of physical security. A major selling feature for cloud providers is that they run large, professionally designed and operated data centers with physical security a significant design criterion. Such a data center has access controls sufficient to meet the needs of the most demanding customer, which means everyone who enters is screened, entryways are guarded, and access points use secure authentication, such as a combination of passcodes and biometrics.
While you may think of security in terms of preventing access to hackers and in keeping malware at bay, access to your data is also a critical point. That means you need to make sure your cloud provider can keep its data center running and accessible to you at all times. Because of this, such a data center has (as a minimum) backup power with fuel supplies sufficient to last longer than the maximum foreseeable outage.
The backup power has generators that can supply adequate power even if one or more go down. And the backup site is remotely manageable. An adequate data center also has access to at least two separate power grids, redundant cooling, and redundant network access, both for the Internet and for private networks. And, of course, the data center itself is mirrored at least once, with the mirror site being located at a significant distance so that the same disaster can’t get both of them.
Five ways cloud security is different
You don’t control the remote data center, so the staff isn’t yours. This is part of the reason for choosing the cloud, because the data center staff is specifically trained to protect your data. But it does mean you need to work with that staff to ensure they learn the necessary procedures.
There’s a communications link between your data center and the cloud. The communications link to your cloud provider is a potential vulnerability, but it’s one that can be managed with virtual private networks, appropriate levels of encryption, and dedicated private networks where necessary.
Your data may exist in multiple, geographically dispersed locations. As long as you can be assured that your data is physically located where the law requires it to be (for example, European data must stay in Europe), then it doesn’t really matter where your data is, as long as it’s not all in the same place. By keeping your data in multiple locations, you ensure that no single event will prevent you from accessing your data.
Most security activities, including updates, backups, and maintenance, are handled by the cloud provider staff, who are probably better at it than you are. The cloud provider should have maintenance and management procedures that meet the requirements of the most demanding customer, with staff trained to work at that level. That is probably better than what your own IT staff can do, if only because your IT staff is faced with a wide range of varying demands, not all of which are related to maintaining your data integrity.
You must confirm that the remote data center protects your data and other cloud activities at a level that meets your statutory and fiscal requirements, which means regular audits of the offsite facilities. This is part of the process of due diligence in regards to protecting your data. In this case it means periodic audits of both the physical security and data security so that you can safely meet your legal data protection requirements.
How this all works together
In an ideal world, you should not be able to tell where your data center ends and where your cloud service begins. Not only should your data be kept where it’s most appropriate, but your applications should be able to draw from that data regardless of whether it’s in the cloud or in your local data center.
Likewise, your data and physical security should be seamless, so that there’s no apparent difference between protecting your data in your own data center versus protecting it in the cloud.
In reality, there are differences, and you need to be aware of them. Because your data may have different requirements for protection when it’s stored in the cloud and because your cloud provider keeps your data and applications at remote locations, it’s important to know where those locations are, if only so you can confirm the level of security on a continuous basis. Geographical diversity is a strong feature of using the cloud, but you still have to be aware of it, and manage the data and the security accordingly.
Related reading: Enhance infrastructure security for the entire IT lifecycle
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.