For the enterprise architect steeped in legacy data center and on-premises infrastructures, the learning curve to effective cloud computing security can seem steep. Enterprise architects transitioning to the cloud must add cloud infrastructure expertise to their knowledge base and learn to cut through thehype in the crowded cloud security marketplace. Once you do so, however, you’ll find that you can boil cloud security down to a few solutions that are much simpler than you might expect.Earlier this year, the National Institute of Standards and Technology (NIST) drew up a security architecture for cloud computing that reduces the enterprise, in its position as “cloud consumer,” to a very small part of the overall architecture. This doesn’t mean that the enterprise must give up control of its data, however. Looking at the NIST architecture, we can identify several areas that are not only key to cloud computing security, but also easily controlled from the enterprise side, with the right solutions. Here are two:

Cloud Auditing

In most cases, cloud computing security boils down to regulatory compliance, and regulatory compliance demands a high level of auditability. To satisfy regulatory requirements, such as the requirement that enterprises keep log data for 10 years, and to provide security analysts with the most comprehensive resources to do their jobs, you need to retain as much of an audit trail as possible.

Unfortunately, many cloud service providers offer only limited logs. If you use multiple cloud services, as is most likely the case, you’ll also have to contend with inconsistent levels of log availability. For the strongest cloud computing security, you need more than what third parties can give. Ideally, your cloud information protection platform should be able to track and capture all interactions across all the cloud services you use. This audit trail will prove invaluable for forensics, accountability, and general monitoring purposes.

Cloud Encryption

Depending on what your enterprise does in the cloud, your data may pass through some or all levels of the cloud service level stack. Infrastructure as aService (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) all have different implications when it comes to the level of control customers typically cede. What doesn’t change, however, is that your enterprise is ultimately responsible for its own data, no matter what part of the stack it passes through.

A strong cloud encryption strategy, one in which your enterprise retains exclusive possession of the encryption keys, will ensure that you hold up your end of the cloud computing security bargain. Look for solutions that offer strong symmetric encryption and do not provide the encryption keys to anyone but you.

As you can see, the fact that cloud computing puts the enterprise in a narrow corner of the overall architecture doesn’t have to mean that the enterprise has little say in the privacy and protection of its sensitive data. CipherCloud’s cloud information protection solutions provide advanced and thorough logging and time stamping capabilities, strong symmetric encryption with exclusive enterprise key control, and a variety of other security, monitoring, and DLP measures designed to keep your data safe and your organization secure in complex regulatory environments.

The cloud changes a lot of things, but not the need for security. The Cloud Security Alliance positions security and risk management as fundamental across all levels of the cloud stack.

Leave a Reply

Your email address will not be published. Required fields are marked *