Hybrid Cloud Computing Security: Real Life Tales
The company has also been using an external cloud service from a major vendor, which Rawlings did not want to identify, for about a year and a half. That service supports several applications, including processing for websites Rawlings runs for some of its non-healthcare clients. The vendor enables Rawlings to easily scale capacity up or down depending on its needs, Landgrave says.
When considering the external cloud, look at the volume of data, Landgrave says. "That drives most of the cost and processing-speed issues," he says. "Security obviously is always at the top of the list, but if in the future that is determined not to be an issue, the size of the data set...is one of the primary factors," he says.
Rawlings is currently evaluating cloud services from vendors such as Microsoft, Rackspace and IBM to help handle its fast-growing data-processing demands. But the company's processing needs--it has several hundred terabytes of data in-house--render those services too costly under their current monthly pricing structure, Landgrave says.
"So far it's much more expensive to use the cloud for the size of data sets we're talking about," he says. "It quickly becomes cost-prohibitive."
Cloud Security, Compliance and Integration
Once companies have made the decision to deploy cloud services--or even before they've made the decision--they need to ensure that adequate security is in place to safeguard information in the cloud."Security is by far the biggest concern and can be something that's addressed at all levels," Garvin says.
"For example, software developers can learn techniques to employ when creating applications to eliminate some security threats such as SQL injection, while other security safeguards can be implemented in the hardware. Our thought is that the most robust security is going to have to come at the hardware level, as it will always be possible to hack code in the cloud."
Garvin says one of the most impressive hardware solutions is Intel's Trusted Execution Technology, which provides processor-level extensions to create many separate execution environments, known as partitions. This is useful in cloud security, she says. "It also provides for secure key generation and storage, and it checks the BIOS upon execution to detect tampering," she says.
IBM has also been doing something similar with chipsets used in embedded systems and mobile devices as part of its Smarter Planet drive, Garvin says, and these could help with cloud client security. "Built-in capabilities in chipsets provide for hardware storage of security-related data like keys, certificates, data and checksums, and also provide some assistance in encryption and decryption," she says.
Silva says it's especially important that companies evaluate the level of visibility, controls and security in place at the cloud provider. "The biggest threat is [not] understanding the risk profile the provider brings to the table," he says.
Part of the vendor evaluation should be exploring its infrastructure, which could be dedicated or shared among other customers, Silva says. If it's shared, what's the risk of other customers taking actions that could put your information or privacy in jeopardy? Companies using cloud services should evaluate the provider's risk profile on an ongoing basis, he says, not just at the outset.
Building strong security can also include writing security requirements into contracts with cloud-service providers and following up to make sure these requirements are being met. To thoroughly evaluate its external cloud vendor's security posture, Rawlings pored over documents to make sure the provider had the proper controls in place and was monitoring them.
[Also see The cloud security survival guide]
Schumacher is relying on cloud-based security tools from Symplified to protect its data in the cloud, including its identity management and single-sign-on (SSO) applications. Symplified provides a centralized service that handles identity and access management, enforces security policies on all the cloud applications Schumacher uses, and audits usage for compliance reporting.
"The SSO approach leads to higher application adoption and fewer passwords being stored on sticky notes," Menefee says. "It would be impossible for our employees to remember unique credentials for all of the systems that we have licensed."
Regulatory compliance is another key issue with the cloud, particularly for companies in industries such as healthcare and financial services.
Menefee says Schumacher Group asks for assurances of privacy and confidentiality with all services that store or could store patient health information. "We ask for various compliance certifications on an annual basis as part of our due diligence process," he says.
Rawlings is also sensitive about data privacy and security because its customers are in the healthcare industry, where regulations regarding data access and storage are particularly stringent. But it goes beyond regulations, he says; Rawlings is morally obligated to protect the integrity of the information.
"The data we have in-house has a very high privacy requirement, so we would have to be absolutely sure that the websites themselves and the pipe between us and the sites is secure" before being able to seriously consider using the cloud for healthcare data, Landgrave says.
Some organizations adopting cloud computing need to figure out how to knit together cloud and non-cloud environments seamlessly so that there's no negative impact on IT services to employees and customers.
Schumacher uses integration tools from several vendors to help meld cloud and non-cloud processes, Menefee says. "The key is to be able to have a couple of options to choose from and to ensure that the cloud providers as well as on-premise solutions have strong APIs and Web services available," he says. (Read more about securing APIs in SaaS, PaaS and IaaS: A security checklist for cloud models.)
The company uses integration products from Cast Iron and Boomi for workflow integrations between hosted and SaaS services. "The integration tools allow us to manage data at the field level with active directory security controls," Menefee says. Single sign-on enables the company to leverage two environments with different sets of users to ensure they're active. "SSO also brings value because users have a single user name [and] password," he says. "This prevents users from writing their authentication information on sticky notes and leaving them in desk drawers. We work closely with our end users on identity- and password-management best practices."
Rawlings has no need to integrate its cloud and non-cloud environments. "The processes are totally different, they have no need to interact," Landgrave says. "In the future, given the way we partition work, the way we would use the cloud is to expand processing," so data integration would still not be a concern.
The only major integration issue Morris School District has had to deal with is transitioning from its current student-management system to the new cloud-based application. So far the move has gone smoothly, McDade says, thanks to working closely with the cloud provider.
"If [integration] is done efficiently and effectively with a strong partner with a solid track record, it can be accomplished without too much stress," he says.
Read more about cloud security in CSOonline's Cloud Security section.