Jason Yaeger, Senior Director of Solutions Architecture at Otava, explains how data security changes for those hosted in the private or public cloud.
Presented by Senior Director of Solutions Architecture Jason Yaeger, Otava
Public & Private Cloud Concerns
I think security and resource allocation are our main issues with public cloud computing. You really don’t have any control over who is managing your firewalls, who is managing the resources that your virtual machines are sitting on.
So, if you look at the security offerings with private cloud hosting, they’re going to be much more geared towards physical server aspects. Whether you have 20 virtual machines or 20 physical machines, it’s going to be very similar how we think of security because we really don’t care what’s behind it – what we care about is making sure that each server is secured the same way as it would be in a physical environment.
And then from a resource allocation perspective, it’s on us to control your resources when it comes to RAM and CPU and disc usage. So, it’s very easy for us to guess, or calculate, not guess, calculate when you’re going to run out of your own resources. There’s not another client who could, all of a sudden, run some attack on somebody else’s equipment – which is what the public cloud is used for a lot.
It’s under your control. If you have a problem, we can identify it very quickly. We can remediate the problem you’re having and add equipment as needed.
Public vs. Private Security
So some of the differences between public and private cloud offerings, as far as security goes, are going to be:
Network Security Approach
Private cloud computing shouldn’t change your network security approach at all. You should think of your servers as either virtual or physical, but that shouldn’t change how you segment each one of their job duties. It shouldn’t change how you protect each VLAN behind your firewalls, from each other.
It doesn’t matter if they’re virtual or physical; it’s 20 servers. If you’re gaining some of the advantages of VMware or something like that by sharing resources, that’s a resource allocation – it shouldn’t compromise security whatsoever.
So we really don’t change any aspect of how we think of security when it comes to virtual environment because it should stay the same, whether physical or virtual.
Where Do You Host Your Private Cloud?
I think that the basis of what a company should look for when researching or doing whatever they need to do to find out where they should put their secure private cloud or if they should keep it in-house – one of those bases is going to be SAS 70 audit. Or, what it’s going to be known for now, is SSAE 16. If you’re going to put your secure private cloud somewhere and you don’t have that as a basis, it’s going to be very hard to pass any other compliances, whether it be PCI or HIPAA.
You’re also going to want to check with that services provider, if that service provider is not PCI or HIPAA compliant, do they have references from clients that actually have those certifications within their data centers somewhere.
So the basis for all of that is SAS 70 or SSAE 16, but even more so, if the managed service supplier is not PCI or HIPAA compliant, can they provide you valid references of clients that have passed that audit. That’s going to be key when finding a company to outsource your private cloud to.