Cloud Infrastructure

02:06 PM
Tom Trainer
Tom Trainer
Repost This

Data Protection In The Cloud Era

Organizations need to review security policies and procedures before implementing newer technologies such as cloud computing and virtualization.

Growing deployments of private and hybrid clouds, coupled with increasing enterprise trust in public clouds, begs the question: How can IT management assure data protection and security in the era of cloud computing and cloud storage?

Many agree that encrypting data at rest on the disk is extremely helpful in assuring data protection within a cloud-based data center. However, newly created data and data frequently used by applications has many points of vulnerability while it is in flight to and from application servers.

The challenge is that data protection and security concerns will always be with us as we evolve to newer IT technologies and as long as there are those who try to hack through security measures and access data. Some in IT management blame technology itself. However, other elements, including out-of-date corporate security policies, contribute to data exposure.

Organizations often implement virtualization and cloud deployments without reviewing beforehand or revisiting their existing data protection and security policies. Significant infrastructure changes can put a business at risk. Failing to review data protection and security measures before changes are implemented may leave you at risk of an attack on your data and missing out on key new technologies that can help you.

[Find out the major security issues to address before signing a contract with an Infrastructure as a Service provider in "Top IaaS Security Requirements To Consider."]

Recently, I spoke with Zane Gramenidis, president of East Coast Computer and a Cisco partner. Zane has been addressing data protection and overall business IT security concerns for decades.

I asked Zane what his firm typically recommends as they work with clients on implementing infrastructure changes. In addition to recommending that clients use updated tools for better data security planning, his company advises they not install business-critical applications on devices that are in the hands of employees.

"They [users] can still run these applications from their devices, but through a centrally managed server in the data center or in the cloud," he says. "Users can still run these applications online or off-line from their various devices. If for any reason an employee leaves the company or a device is lost or stolen, data security can be at great risk. However, with the proper tools these risks can be minimized since devices can be deactivated and the data wiped should these risky situations arise.”

There is an industry effort to automate security in conjunction with virtual machines, but Vik Mehta, president of VastEdge, a supplier of IT services to major corporations, says this can be a tricky undertaking. “Automation in a virtual machine environment (i.e., VMware, RHEV and Hyper-V) is good, but it can be scary for some because the security policy must be absolutely correct when the virtual machine is created,” he said. Clearly, preplanning security policies and testing them thoroughly before implementing them in an automated fashion is a must.

As virtual and cloud deployments continue to grow, common information access concerns still need to be addressed. For example, consider extranets. Extranet access is typically provided to partners, vendors and suppliers. Information in-flight over multiple networks can be exposed to theft, and the extranet can create a hole for hackers to enter an organization's IT infrastructure.

“Extranets can increase data security risks. Network virtualization, firewalls, wireless LANs, and some storage virtualization use cases can be attacked, and customer order data (units, purchase price information and shipping information) can be compromised," Mehta says. “Security is a big gap, and many shops want to address it later; however, it needs to be addressed now."

In an upcoming post, I will address moving data protection to the application stack and the data security concerns therein. I believe you’ll be surprised at which vendor is taking a leadership role in this area.

What are you concerns with data protection in the cloud? Do you include data protection and security planning and policies upfront in change planning? Is security dealt with after changes are made? Share your thoughts and opinions in the space below.

[Learn about developing an information risk management strategy and key areas of consideration when evaluating security programs and capabilities in "Securing the Business" at Interop New York Sept. 30-Oct. 4. Register today!]

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/19/2013 | 4:29:45 AM
re: Data Protection In The Cloud Era
Hi MarciaNWC -- The Cloud Security Alliance has been around since 2008 and has helped fill what was/is a growing gap between user knowledge of cloud technologies and security concerns vs. rapid innovation in cloud technologies. Their educational programs have assisted many with getting up to speed and certified.

Additionally, I like what CISSP has done with network security training and certification.

Overall, the vendor neutral approach is the way to go. Having said that, vendor participation in these organizations is crucial for many reasons included sponsorships and training content.

Some vendors offer training on their hardware and software products and it's wise to take them up on their training classes.

Marcia Savage
Marcia Savage,
User Rank: Apprentice
9/18/2013 | 7:54:13 PM
re: Data Protection In The Cloud Era
Hi Tom -- What do you think of the guidance provided by the Cloud Security Alliance?
More Blogs from Commentary
SDN: Waiting For The Trickle-Down Effect
Like server virtualization and 10 Gigabit Ethernet, SDN will eventually become a technology that small and midsized enterprises can use. But it's going to require some new packaging.
IT Certification Exam Success In 4 Steps
There are no shortcuts to obtaining passing scores, but focusing on key fundamentals of proper study and preparation will help you master the art of certification.
VMware's VSAN Benchmarks: Under The Hood
VMware touted flashy numbers in recently published performance benchmarks, but a closer examination of its VSAN testing shows why customers shouldn't expect the same results with their real-world applications.
Building an Information Security Policy Part 4: Addresses and Identifiers
Proper traffic identification through techniques such as IP addressing and VLANs are the foundation of a secure network.
SDN Strategies Part 4: Big Switch, Avaya, IBM,VMware
This series on SDN products concludes with a look at Big Switch's updated SDN strategy, VMware NSX, IBM's hybrid approach, and Avaya's focus on virtual network services.
Hot Topics
Converged Infrastructure: 3 Considerations
Bill Kleyman, National Director of Strategy & Innovation, MTM Technologies,  4/16/2014
White Papers
Register for Network Computing Newsletters
Current Issue
Twitter Feed