BOF05: Is my data really secure in the Cloud?

Hey Folks, Welcome to another live blog from TechEd 2011 in Atlanta, Georgia.

This is my first Birds of Feather session so it should be rather interesting, before we start lets break down the rules of engagement.

  1. “Birds Nest” – There are six chairs in the front of the room where attendees can come sit and participate in the on-going discussion. One chair will always be left empty to “invite” a new participant. If a new Participant joins the Birds Nest, one of the active participates must leave. the Moderator will facilitate attendees joining or leaving the Birds Nest.
  2. Stand-Up Microphones – There are stand-based microphone in each of the two aisles in the BOF room. Attendees will have the opportunity to line-up at either microphone to add a quick question or comment. Anyone wanting to participate in more depth will be asking to join the Birds Nest. However you do not need to ask a question at the stand-up microphone to join the birds nest.

**Lucky me, I got stuck in the birds nest.

Is Private Cloud more Secure than Public Cloud

Questions to Ask:

Public/Private Cloud Concerns

  • What are the physical security requirements?
  • Encryption of Data
    • Over the wire?
    • At Rest?
  • How do you prevent [D]DOS from your Cloud Applications
    • Anti-Hacking
      • Cloud Provider Employee Security
      • Compliance
      • Multi-tenancy
  • Disaster Recovery
    • Backup
    • Redundancy
  • Auditing& Certification
    • SAS-70
    • PCI
  • Authorization & Authentication
    • How Quickly can I change Access Control?
  • Exit Strategy
    • What happens if I change providers?
  • Data Storage
    • E-Discovery (Easy of Access)
    • Archiving
    • Data Loss

Breaking down the Concerns

Physical Security

Large Cloud Providers have a large budget and a lot of brains for providing better Virtual Security. However there are many concerns about Physical security. Should Cloud Providers allow tours? The majority of the room thinks that a tour should be provided (I think there should be Beer Provided as well).

What has the greater percentage of loss? Internal Hacking or External Hacking? Only 5% of the room was wrong and thought that External Hacking would expose more data.

A thing to note is that a typical Internal Data Loss is through a Employee of 7 plus years of Service as they know all the Security Policies, the concerns and what data would be of the most use to them.

Data Security also comes into play with Cloud providers:

  • Are you sure my data is within the regions I’ve specified
    • Can they Audit that your Data is where it should be
  • Is it a good thing that my data is distributed across many data centers?
  • Do Cloud Providers allow you to access Audit Logs
    • What is the Expiry on logs

Anti-Hacking

Can someone plug into my VM or Access my Storage nodes. Hyper-Jacking is a term that is used to explain about someone breaking into the Virtualized Sandbox where your Virtual Compute instance.

Multi-tenancy

Can the Cloud provider isolate my VMs or Storage from my competitors? Could that be part of my SLA? Should the Cloud Provider be transparent to the point that they can give away the list of their Customers in order to ensure you aren’t around your competitors.

This is a great place where you need to understand want Data you would like to publish to the Cloud and which Data you would maintain On-Premises.

Exit Strategy

It’s always good to have a Plan B, or some sort of Exit Plan.  A great point was made by an Audience member said that the SLA should Provide sort parts of your Exit Strategy.

Should a Cloud provider make it easier for you to migrate your data off of their platform? Once your data is removed from their Storage Service what level of “Removal” is provided? Would they destruct the Hard Drive?

Your exit strategy is something that should be identified upfront, if you think ahead you could ensure that your data isn’t at risk when you look to leave your particular Cloud Provider.

Resources: