Is the Cloud Part of Your Cyber Security Business Plan and is the Cloud Compliant?
More and more businesses are moving to the cloud every year.
Is it a mistake?
Some business leaders are hesitant to make the leap to the cloud.
Are they wrong?
A measure of careful thought and skepticism of new technologies is healthy.
Here’s the deal.
Not All Cloud Solutions Are Created Equal – So Compliance and Security Concerns Are Completely Justified.
When someone talks about the cloud, what do you imagine?
Do you think about a server farm somewhere in Silicon Valley?
Does your mind go to a network of servers spread across the globe like a giant digital spider web?
Or, do you imagine that your applications and data are on a server in someone’s basement?
Yes, you guessed it.
Any of these scenarios could be considered a “cloud hosting” setup.
But, to be fair, IT professionals aren’t going to risk your data by keeping it in their basement.
What Are the Basic Cloud Scenarios That IT Professionals Set Up for Their Clients?
- Private Cloud – In this scenario, the servers that house your data, applications, or virtualized machines are owned by you, the client. Very often, they are housed in your facility. This configuration allows for complete control but does require more internal management and represents a business continuity vulnerability when local disasters such as fire or flood are considered.
- Public Cloud – The public cloud scenario is similar to renting a storage locker. You aren’t the only one that is renting space in that business. It is open to the public. Security and security-dependent compliance are already in place, but you don’t own the facility or hardware. This option is suggested many times because with the better cloud hosting companies – such as AWS – much of the security, compliance, and management is already in place.
- Hybrid Cloud – In a hybrid cloud situation, an business IT consultant takes the best of both worlds – private cloud and public cloud – and marries them into a system that allows the client company to use the private cloud for the data, virtual machines, or applications that they’re not yet ready to trust in the public cloud. Then, the workflows that they are comfortable moving into the public cloud are placed there.
How Are the Best Public Cloud Data Centers Secured? (A Summary)
- Perimeter Security – The outer layer of the cloud data center features guards, fences, cameras, and technology geared to prevent and detect intrusion.
- Infrastructure Security – Servers are protected by HVAC systems, fire suppression, and backup power.
- Data Security – Data is protected with restricted access, biometric identifiers, clearly defined and followed protocols, third-party audits, security cameras, and certification that the data center has met in excess of 2, 600 individual security requirements.
- Environmental Security – Data centers are built in locations that are carefully selected to avoid the security risk posed by earthquakes, floods, and consistent negative weather patterns.
How Do the Best Data Centers Ensure Data Security and Compliance? (In Greater Detail)
- Thinking Ahead – Data centers that are trusted to house the IT resources of Fortune 500 companies have people on staff whose job it is to out-think the criminals. By forecasting threats in advance, these data centers can be prepared if and when they come.
- Geo-Redundancy – By replicating data at several of their locations, data centers are able to ensure that if one of their locations is taken down by a natural disaster, their customer’s data is backed up and usable in another location. This is also known as Availability Zones.
- Business Continuity – Data centers that are serious about their customer’s ability to have uninterrupted, secure access to their IT assets stored in the data centers have a company-wide business continuity strategy. They are happy to explain the details of their business continuity strategy to their clients because it shows that they have thought through the logistics of caring for their customer’s data.
- Physical Access – As we have already discussed, the best data centers rely on multiple layers of physical security beginning at the front gate and continuing through the complex to the access protocols for individual servers.
- Employee and Contractor Access Credentials – Employee and contractor access credentials are reviewed on a regular basis to determine if they have a legitimate reason for the level of access they currently hold.
- Access Logs – Because the best data centers utilize identifiers that go much further than a simple swipe card, they are able to keep track of exactly who is coming and going.
- Monitoring – Data centers, by nature, have to be constantly monitored for operational stability and security. When an anomaly is encountered, the issue is quickly triaged, and an appropriate response is formulated and enacted quickly to preserve the integrity, security, and compliant status of the data housed in the facility’s servers.
- Power, Water, Temperature, and Fire – A data center that is serious about protecting your data will have power backups, flood detection systems, fire suppression systems, and an HVAC configuration that keeps the servers in the data center at an optimal and consistent temperature.
What Compliance Programs do the Best Data Centers Offer?
Because cloud hosting companies house data from businesses all over the world, they have to be experts in compliance and provide an entire range of security and compliance scenarios. Here is a sampling:
- CSA – Cloud Security Alliance Controls
- ISO 9001 – Global Quality Standard
- ISO 27001 – Security Management Controls
- ISO 27017 – Cloud Specific Controls
- ISO 27018 – Personal Data Protection
- PCI DSS Level 1 – Payment Card Standards
- SOC 1 – Audit Controls Report
- SOC 2 – Security, Availability, & Confidentiality Report
- SOC 3 – General Controls Report
- CJIS – Criminal Justice Information Services
- DoD SRG – DoD Data Processing
- FedRAMP – Government Data Standards
- FERPA – Educational Privacy Act
- FFIEC – Financial Institutions Regulation
- FIPS – Government Security Standards
- FISMA – Federal Information Security Management
- GxP – Quality Guidelines and Regulations
- HIPAA – Protected Health Information
- ITAR – International Arms Regulations
- MPAA – Protected Media Content
- NIST – National Institute of Standards and Technology
- SEC Rule 17a-4(f) – Financial Data Standards
- VPAT / Section 508 – Accessibility Standards
Can Using Cloud Hosting Services be as Secure and Compliant as Doing it All In-House?
Every situation is different, but in general, terms, using one of the leaders in data center technology can even be more secure and allow for better compliance management than an in-house solution. In addition, the client company doesn’t have to worry about business continuity for workloads that are in the cloud or the expense of buying, replacing, or maintaining in-house infrastructure.
What Are Other Advantages to Using Cloud Hosting Services?
- Access your data and workflows from anywhere.
- Lower infrastructure costs.
- Scale simply.
- Leverage up-to-date security.
Want to read more helpful articles? We’ve picked out three we think you’ll like.