Hybrid Cloud Computing Security: Real Life Tales
For all the talk about public clouds versus private clouds, many organizations will likely end up with a mixed IT environment that includes both types of cloud as well as non-cloud systems and applications--at least for a next several years.
Security remains a concern for many CIOs, but if the business case supports it, companies are going to move all but the most sensitive and high-risk data to the cloud. Those executives that have started weaving together cloud and non-cloud environments say they've taken steps to ensure that security is an early consideration, have included security provisions in service-level agreements (SLAs) and contracts, and have worked to maintain compliance and secure integration.
[Also read 5 cloud security trends for 2011]
Industry experts say that despite the well-publicized worries about security, the mixed IT environment will likely appeal to many organizations, particularly global enterprises.
"The hybrid cloud model makes a lot of sense in large organizations," says Janel Garvin, CEO of Evans Data, a market research firm in Santa Cruz, Calif. "As security concerns lessen, many might move more of their computing resources out to the cloud. But some may keep a hybrid model for years to come."
Outward-facing applications, such as collaboration, communications, customer-service and supply-chain tools, are excellent candidates for the cloud, Garvin says, while information such as financial and customer data is more likely to reside on-premise. "Most companies also feel that backup for storage and apps should still be kept internally, even if the data and apps reside in a cloud," she adds.
As recently as a few years ago, ventures into the cloud were mostly experimental, back-burner projects, not something to which companies would trust critical data, says Chris Silva, senior vice president of research and service delivery at IANS Research, an information security research firm. Today, "we're seeing a lot more things taking on a cloud flavor," Silva says.
A growing number of businesses are seeing value in services that provide increased processing power for busy times, such as holiday shopping seasons or financial reporting periods, Silva says. "This has moved from fringe activities to the mainstream."
Into the Cloud: The Business Case Rules
To be sure, some companies are still reluctant to use the cloud for customer and other sensitive data because they have security and regulatory compliance concerns. Nevertheless, businesses are forging ahead with cloud initiatives, and, as with other significant IT investments, decisions about whether to use the cloud and which services to adopt often come down to whether there's a strong business case.
"The economics and business needs are going to determine what stays on-premise versus lives in the cloud," says Doug Menefee, CIO at Schumacher Group, which provides emergency-room-management services to U.S. hospitals.
Schumacher began moving applications to the cloud in 2006, and Menefee estimates that 90 percent of the company's processes are in cloud-based services today.
Some are hosted services and others are software as a service (SaaS), Menefee says. "We have a hybrid approach where most of these solutions are integrated with each other via Web services or are integrated with on-premise solutions," he says.
To ensure cloud security, Schumacher worked with each of its vendors to review their security and audit procedures and ensure they were in compliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. "We include our business associates agreement as part of our standard contractual language with any vendor who potentially has access to patient data," he says.
A major driver for the company, which is based in Lafayette, La., to go to the cloud was the realization that its data centers were susceptible to damage by major hurricanes like Katrina and Rita, Menefee says. He says the cloud providers have multiple data centers across the country. "Review of data center footprint and geographic locations are part of our due-diligence process," Menefee says.
Other motivators include the ability to easily scale capacity up or down and the need to deliver applications to users faster.
Typically, when Schumacher is deciding whether an application should go in the cloud, "cloud wins because we can get it up and running faster than on-premise," Menefee says. "Additionally, the SLAs and quarterly updates from vendors keep us ahead of the curve on innovation, features and functions."
The Morris School District in Morristown, N.J., also applies business cases to its cloud decisions. The district is using a cloud service from AppRiver to manage its e-mail security, including spam and virus filtering. It's in the process of implementing another cloud service for its main student information system, which is used for tasks such as grading, taking attendance, scheduling, managing health records and coordinating buses.
The school district has opted to keep some portions of its IT infrastructure and applications, such as the budget, personnel and payroll systems, out of the cloud, says Tim McDade, the school district's director of technology. Part of what's holding him back is lack of staff, McDade says.
"We are in the process of launching our new cloud-based student-management system, and to do additional [critical] systems at the same time is too much to undertake at once," he says. "There is the training of many users involved, and the student information system is a major system, in reality the most important system we run."
What factors did the district consider when deciding what to put in the cloud and when? "Money, time available to technically implement [the services], and time needed for training of end users," McDade says.
Using a cloud service for e-mail security saves labor costs. "The time and money to run, maintain and back up those systems in-house cost a fortune compared to hosted solutions," McDade says. In the past, when major virus outbreaks came in through e-mail, "we would more or less have to drop everything we were doing to track it down on our internal servers," he says.
The process of finding and getting rid of e-mail problems internally took hours and was disruptive to operations, McDade says. With the cloud-based application, the vendor handles all the necessary filtering. He estimates that the district is saving at least $20,000 a year by using the cloud service.
The Rawlings Group, a provider of medical and pharmacy claims-recovery services, also has a mixed IT environment. While non-cloud systems handle highly sensitive data, the company uses several clouds, including an internal one in which some 600 systems form a grid that supports database access and data-mining applications.
The internal cloud houses healthcare-client data, says Kevin Landgrave, senior vice president of IT at Rawlings. The grid, which Rawlings launched about a year ago, has helped the company handle its growing data processing demands, he says.
"This is primarily a client comfort and approval issue for us," Landgrave says. "Our agreements with our clients are very specific about how and where we store their data, and the processes used to access the data. We'll need further guidance from the government--around what 'minimum necessary' means in terms of transmitting data for HIPAA business associates under HITECH, and how it might affect the transmission of electronic health records--before we're willing to ask clients for approval to store their data outside of our facility." When a HIPAA-covered entity discloses protected health information to a cloud provider, Landgrave says, it risks exposure to federal data security breach notification requirements under the HITECH Act. (CSOonline's Security laws, regulations and guidelines directory provides summaries and links to full text of these and other requirements.)
Next page: Security and compliance
The company has also been using an external cloud service from a major vendor, which Rawlings did not want to identify, for about a year and a half. That service supports several applications, including processing for websites Rawlings runs for some of its non-healthcare clients. The vendor enables Rawlings to easily scale capacity up or down depending on its needs, Landgrave says.
When considering the external cloud, look at the volume of data, Landgrave says. "That drives most of the cost and processing-speed issues," he says. "Security obviously is always at the top of the list, but if in the future that is determined not to be an issue, the size of the data set...is one of the primary factors," he says.
Rawlings is currently evaluating cloud services from vendors such as Microsoft, Rackspace and IBM to help handle its fast-growing data-processing demands. But the company's processing needs--it has several hundred terabytes of data in-house--render those services too costly under their current monthly pricing structure, Landgrave says.
"So far it's much more expensive to use the cloud for the size of data sets we're talking about," he says. "It quickly becomes cost-prohibitive."
Cloud Security, Compliance and Integration
Once companies have made the decision to deploy cloud services--or even before they've made the decision--they need to ensure that adequate security is in place to safeguard information in the cloud."Security is by far the biggest concern and can be something that's addressed at all levels," Garvin says.
"For example, software developers can learn techniques to employ when creating applications to eliminate some security threats such as SQL injection, while other security safeguards can be implemented in the hardware. Our thought is that the most robust security is going to have to come at the hardware level, as it will always be possible to hack code in the cloud."
Garvin says one of the most impressive hardware solutions is Intel's Trusted Execution Technology, which provides processor-level extensions to create many separate execution environments, known as partitions. This is useful in cloud security, she says. "It also provides for secure key generation and storage, and it checks the BIOS upon execution to detect tampering," she says.
IBM has also been doing something similar with chipsets used in embedded systems and mobile devices as part of its Smarter Planet drive, Garvin says, and these could help with cloud client security. "Built-in capabilities in chipsets provide for hardware storage of security-related data like keys, certificates, data and checksums, and also provide some assistance in encryption and decryption," she says.
Silva says it's especially important that companies evaluate the level of visibility, controls and security in place at the cloud provider. "The biggest threat is [not] understanding the risk profile the provider brings to the table," he says.
Part of the vendor evaluation should be exploring its infrastructure, which could be dedicated or shared among other customers, Silva says. If it's shared, what's the risk of other customers taking actions that could put your information or privacy in jeopardy? Companies using cloud services should evaluate the provider's risk profile on an ongoing basis, he says, not just at the outset.
Building strong security can also include writing security requirements into contracts with cloud-service providers and following up to make sure these requirements are being met. To thoroughly evaluate its external cloud vendor's security posture, Rawlings pored over documents to make sure the provider had the proper controls in place and was monitoring them.
[Also see The cloud security survival guide]
Schumacher is relying on cloud-based security tools from Symplified to protect its data in the cloud, including its identity management and single-sign-on (SSO) applications. Symplified provides a centralized service that handles identity and access management, enforces security policies on all the cloud applications Schumacher uses, and audits usage for compliance reporting.
"The SSO approach leads to higher application adoption and fewer passwords being stored on sticky notes," Menefee says. "It would be impossible for our employees to remember unique credentials for all of the systems that we have licensed."
Regulatory compliance is another key issue with the cloud, particularly for companies in industries such as healthcare and financial services.
Menefee says Schumacher Group asks for assurances of privacy and confidentiality with all services that store or could store patient health information. "We ask for various compliance certifications on an annual basis as part of our due diligence process," he says.
Rawlings is also sensitive about data privacy and security because its customers are in the healthcare industry, where regulations regarding data access and storage are particularly stringent. But it goes beyond regulations, he says; Rawlings is morally obligated to protect the integrity of the information.
"The data we have in-house has a very high privacy requirement, so we would have to be absolutely sure that the websites themselves and the pipe between us and the sites is secure" before being able to seriously consider using the cloud for healthcare data, Landgrave says.
Some organizations adopting cloud computing need to figure out how to knit together cloud and non-cloud environments seamlessly so that there's no negative impact on IT services to employees and customers.
Schumacher uses integration tools from several vendors to help meld cloud and non-cloud processes, Menefee says. "The key is to be able to have a couple of options to choose from and to ensure that the cloud providers as well as on-premise solutions have strong APIs and Web services available," he says. (Read more about securing APIs in SaaS, PaaS and IaaS: A security checklist for cloud models.)
The company uses integration products from Cast Iron and Boomi for workflow integrations between hosted and SaaS services. "The integration tools allow us to manage data at the field level with active directory security controls," Menefee says. Single sign-on enables the company to leverage two environments with different sets of users to ensure they're active. "SSO also brings value because users have a single user name [and] password," he says. "This prevents users from writing their authentication information on sticky notes and leaving them in desk drawers. We work closely with our end users on identity- and password-management best practices."
Rawlings has no need to integrate its cloud and non-cloud environments. "The processes are totally different, they have no need to interact," Landgrave says. "In the future, given the way we partition work, the way we would use the cloud is to expand processing," so data integration would still not be a concern.
The only major integration issue Morris School District has had to deal with is transitioning from its current student-management system to the new cloud-based application. So far the move has gone smoothly, McDade says, thanks to working closely with the cloud provider.
"If [integration] is done efficiently and effectively with a strong partner with a solid track record, it can be accomplished without too much stress," he says.
Read more about cloud security in CSOonline's Cloud Security section.