4 Essential Cloud Security Tips

More and more enterprise IT shops - as they get comfortable with virtualization practices in their own private clouds - are considering a jump to the public cloud. But before making that leap, consider these pieces of advice from those that have already jumped.

1. Make sure your provider has VM-specific security

"Hypervisors were never really designed to be running in a public environment," says Beth Cohen, senior cloud architect for Cloud Technology Partners, a consultancy.

That fact doesn't necessarily stop them from being secure, Cohen says. But it does require a more elastic security strategy that can deal with the issues of virtual machines (VM) moving around the underlying infrastructure, interacting with cloud applications, and supporting multiple tenants.

Customers going into the public cloud need to understand that perimeter security - while it still needs to be in place in any virtual data center environment - isn't going to help with the internal security of virtual machines, says Michael Berman, CTO of Catbird Networks, a vendor that focuses on virtual machine security.

Both Cohen and Berman have pointed potential cloud consumers to VMware's vShield, which is both a product that offers integrated security services to the underlying VMware hypervisor and a set of APIs that allow third-party security vendors to build security services on top VMware's platform.

VMware's Dean Coza, director of product management for security products, points out that a dozen security vendors announced products that tap into vShield to deliver virtual machine security products at last month's VMworld conference.

But VMware is only one of the virtualization software vendors out there and the company has said very little about how these tools will help lock down other popular VMs from Microsoft and Citrix.

Experts describe the top cloud security concern

2. Figure out a way to lockdown endpoints

Predictions for mobile device sales are staggering. Forrester says tablet sales will hit 208 million by 2014. Gartner contends that 1.1 billion smartphones will be sold in 2015. Enterprises moving to the cloud must brace themselves for many more of these consumer-type devices trying to get to corporate data and applications in the cloud.

"The BYOD [bring your own device] to work issue is huge because now you have devices you don't own trying to access your data over networks that you don't control," says Tom Clare, senior director of product marketing at Websense, a content security vendor.

Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy in western Massachusetts, says one way to help limit the number of users wanting to run personal devices on the corporate network is to set up policy roadblocks.

These include limiting what they can do on the machine while attached to the network, requiring them to pay for mobile malware protections and confiscating the device if there is a security issue.

But there are legitimate circumstances for giving upper management controlled access through the cloud. Braun's company uses products such as Kaseya's mobile device management module, which is part of the vendors overall IT System Management platform, to gain that kind of control.

Joe Coyle, CTO for Capgemini Consulting, contends that in order to effectively support mobile devices you must make sure your provider's ID management scheme jibes with your internal one.

"They are coming in from everywhere, so if you lock them into their set roles through consistent ID management, then you have a decent shot at making sure they are not getting to data they - or their machines -- don't have rights to," Coyle says.

3. Push your cloud provider to put security in your SLA

Standard cloud service provider service-level agreements (SLA) barely touch on security, so it's a buyer beware kind of situation.

"Make sure your provider is willing to move well beyond simple monitoring of your service usage," says Torsten George, vice president, worldwide marketing at Agiliance, a security vendor that offers governance, risk and compliance services.

Customers have a right to push for insight into a provider's compliance posture, its overall security posture and how it stacks up against benchmarks for best security practices.

"Absolutely push for a custom security SLA," says Jeremy Crawford, CTO of MLSListings, a Silicon Valley-based regional Multiple Listing Service (MLS) that supports over 5,000 brokerages and 18,000 subscribers. Crawford has negotiated security focused SLAs with three public cloud providers. He takes a look at the providers' standard security agreement, but only consents to about 50% of the language in most cases. He pushes for more favorable language relating to visibility into the providers' systems and sets up specific terms about shared liability should there be a breach.

"You've got to have teeth in the contract or you'll have no legs to stand on if there is a data leak," Crawford says.

4. Act quickly

Richard Rees, manager of EMC's virtual cloud consulting services, says enterprises should move quickly on an overall strategic plan for pushing their business process out to the public cloud in a controlled fashion. By doing so, you avoid rogue pockets of public cloud within the companies.

"I am always surprised by how quickly departmental pilot projects morph into business critical applications," Rees says. Due to the relatively low cost of entry into most public cloud applications, the likelihood that they are being used without IT's knowledge is pretty high.

Read more about cloud computing in Network World's Cloud Computing section.