In the late ‘90s, when consumer internet was relatively new, there was a controversy swirling around online commerce: is it safe to use your credit card online? Fast forward to today. Online commerce is ubiquitous, and one of the largest credit card breaches to date recently occurred in Target’s brick and mortar stores. Now with enterprise cloud computing, there’s another controversy swirling: is it safe to store your data in the cloud?
As a provider of EMC cloud services—including Mozy and Spanning—and in working to tier our on-premises storage products to an EMC object service, I’m often asked this question. The answer depends upon the level of security deployed by the cloud service.
By federating identity and authentication with employees’ corporate authentication service, IT can make access to these services more convenient and more secure. Data should be encrypted in transit and at rest, and customers should have an option to use their own encryption keys. To validate that the data arriving in the cloud is exactly the same as from the point of origin, the service should apply a payload integrity validation check, which safeguards against corruption in transit. And a solid role-based access schema will ensure authorized users can only perform their intended duties. Finally, to respect data sovereignty laws, the service should provide geographical data residency options.
Physical access to the data center must be strictly controlled at building entrances by a professional security staff who enforce visitor policies. But even more important is cyber hardening of the perimeter, hosts, and applications. Even one security hole in the perimeter could be exploited to gain access through the intended boundary, allowing access to the high-value servers and data. Steps like ongoing vulnerability monitoring and solid patching practices are essential. Access management is also crucial, and increased security measures for legitimate administrators go a long way in preventing password hacks.
The next step in prevention is early detection. Active monitoring provides an ideal air cushion in the event a flaw is exploited. Tools, such as RSA Security Analytics, provide alerts from both unexpected log activity and indicators of compromise within the active network traffic flow. And, in case the worst happens, the service needs an incident response and containment team available 24/7.
How does one know that a service is taking these measures? There are self-certification attestations, such as assuming responsibility as a Business Associate under HIPAA. There are also independently certified attestations, such as SOC I or 2 Type 2, ISO 27001:2013, just to name a couple.
When it comes to security there are no absolutes, but with the right features, operations and compliance in place, a cloud service can provide the same or even better protection than some on-premises data protection options.