Many agree that encrypting data at rest on the disk is extremely helpful in assuring data protection within a cloud-based data center. However, newly created data and data frequently used by applications has many points of vulnerability while it is in flight to and from application servers.
The challenge is that data protection and security concerns will always be with us as we evolve to newer IT technologies and as long as there are those who try to hack through security measures and access data. Some in IT management blame technology itself. However, other elements, including out-of-date corporate security policies, contribute to data exposure.
Organizations often implement virtualization and cloud deployments without reviewing beforehand or revisiting their existing data protection and security policies. Significant infrastructure changes can put a business at risk. Failing to review data protection and security measures before changes are implemented may leave you at risk of an attack on your data and missing out on key new technologies that can help you.
[Find out the major security issues to address before signing a contract with an Infrastructure as a Service provider in "Top IaaS Security Requirements To Consider."]
Recently, I spoke with Zane Gramenidis, president of East Coast Computer and a Cisco partner. Zane has been addressing data protection and overall business IT security concerns for decades.
I asked Zane what his firm typically recommends as they work with clients on implementing infrastructure changes. In addition to recommending that clients use updated tools for better data security planning, his company advises they not install business-critical applications on devices that are in the hands of employees.
"They [users] can still run these applications from their devices, but through a centrally managed server in the data center or in the cloud," he says. "Users can still run these applications online or off-line from their various devices. If for any reason an employee leaves the company or a device is lost or stolen, data security can be at great risk. However, with the proper tools these risks can be minimized since devices can be deactivated and the data wiped should these risky situations arise.”
There is an industry effort to automate security in conjunction with virtual machines, but Vik Mehta, president of VastEdge, a supplier of IT services to major corporations, says this can be a tricky undertaking. “Automation in a virtual machine environment (i.e., VMware, RHEV and Hyper-V) is good, but it can be scary for some because the security policy must be absolutely correct when the virtual machine is created,” he said. Clearly, preplanning security policies and testing them thoroughly before implementing them in an automated fashion is a must.
As virtual and cloud deployments continue to grow, common information access concerns still need to be addressed. For example, consider extranets. Extranet access is typically provided to partners, vendors and suppliers. Information in-flight over multiple networks can be exposed to theft, and the extranet can create a hole for hackers to enter an organization's IT infrastructure.
“Extranets can increase data security risks. Network virtualization, firewalls, wireless LANs, and some storage virtualization use cases can be attacked, and customer order data (units, purchase price information and shipping information) can be compromised," Mehta says. “Security is a big gap, and many shops want to address it later; however, it needs to be addressed now."
In an upcoming post, I will address moving data protection to the application stack and the data security concerns therein. I believe you’ll be surprised at which vendor is taking a leadership role in this area.
What are you concerns with data protection in the cloud? Do you include data protection and security planning and policies upfront in change planning? Is security dealt with after changes are made? Share your thoughts and opinions in the space below.
[Learn about developing an information risk management strategy and key areas of consideration when evaluating security programs and capabilities in "Securing the Business" at Interop New York Sept. 30-Oct. 4. Register today!]