By David Jones, Cloud Solution Marketing Manager at Hyland, creator of OnBase.
Cloud security tends to focus on perimeter security – or how the cloud system and its data is protected from external access; firewalls, password protection and secure Internet channels live here. To be honest, this is the type of security that most people are concerned about when thinking cloud but the recent RSA Security conference in San Francisco, USA, highlighted that perimeter security is no longer good enough.
The good news us that just about all cloud vendors have perimeter security under control and do a very good job at explaining exactly how secure their systems are. But as the RSA very bluntly explained, the bad news is that this type of security is only part of the real picture. In addition to perimeter security, you need to consider four other areas: Application Security, Data Protection, Disaster Recovery and Vendor Stability.
Perimeter security focuses on keeping the bad guys out of the system – so, essentially, it stops any attempts at hacking in whatever shape they come. However, it appears that hackers are realising that perimeter defenses are getting stronger all the time, and that there are easier access routes.† One of these routes is via existing, legitimate logins. These could be gained through sophisticated phishing emails or simply by watching someone login whilst standing behind them. Either way, the hackers are now in your system and you need a way of identifying and dealing with that – application security can provide that protection.
Application security comes in many guises but involves areas such as identifying strange or irregular activity, ensuring access permissions are properly set across the organisation, and the ability (or some would say mentality) to take a security -first approach, i.e. locking down everything unless there is a specific reason not to do so.
One final note on application level security – it is not specific to the cloud but is equally applicable to on-premise systems. It is quite simply an essential tool in the security arsenal.
Most business people in the UK will have heard about EU Data Protection legislation. I won’t dive into the legalities of it here but suffice to say, the EU is proposing a new set of directives designed to govern the management of personally identifiable data, i.e. data that relates to individuals. This has wide ranging implications to storing content in the cloud, but there are two key aspects to note here:
1. This only relates to personal data, not things like marketing materials or company accounts.
2. The legislation is not yet passed but it is expected to be completed in the next twelve months or so.
One way to try and comply with the rules irrespectively, is to ensure that your cloud content is stored in UK data centres (assuming you are a UK company). The better cloud vendors will currently have UK data centres but not all do so if you are considering a move to the cloud, or are already using the cloud, this is worth checking.
One of the benefits of the cloud is aspects including back-up and disaster recovery which are carried out by your cloud vendor. However, just because someone else is doing the heavy lifting, if does not always mean that they are doing it well. There are two key aspects to cloud-based disaster recovery: recovery time and restore period.
Recovery time is simply how quickly your system can be up and running after a crash. While this appears important, it is not as important as the restore period, or the frequency of back-ups.
Think about a cloud solution that can be recovered in ten minutes following a crash – it sounds fantastic! But if the crash happens at 4.45pm and the last back-up was made at midnight, then virtually a whole day of work has been lost. Balancing recovery and restore times is vital, as is making sure that the back-ups made by your cloud host comply with the data protection rules previously mentioned.
Finally, moving your systems and data to the cloud is a big commitment and something that should not be taken lightly. Many people consider cost and security as the key factors in any such move but for me, vendor longevity and stability are of equal, if not higher, importance. Many cloud vendors are fairly new and with that newness comes incredible agility, more often than not excellent software, wonderful pricing and fantastic promises. However, what happens if that vendor goes out of business? Without wanting to sound like the bearer of doom and gloom for cloud startups, you need to understand the balance of risk and reward when selecting a cloud vendor. Established vendors have more stability and therefore less risk but, in turn, may have slightly less attractive solutions and pricing. Newer vendors have less stability so are higher risk but may offer more attractive solutions and pricing. The choice is yours!
Complete Cloud Security
So, it turns out that (cloud) security is more complicated than we originally thought and that may mean that cloud solutions take a little longer to evaluate. However, the positive thing is that once a cloud vendor can satisfy a skeptical potential customer that they can deliver against ALL of the above points, the prospect can have complete confidence in its vendor, cloud selution and the associated security. Because of that, migration to the cloud should be a comfortable one.
†Nice and Easy Does It – Infosecurity Magazine, Volume 12, Issue 1
David Jones, Cloud Solution Marketing Manager – Hyland, Creator of OnBase
David Jones is Cloud Solutions Marketing Manager at Hyland, creator of OnBase, delivering cloud and soluiton marketing for Hyland’s comprehensive cloud-based enterprise content management (ECM) solution, the OnBase Cloud. David is responsible for all aspecdts of marketing the OnBase Cloud including planning and executing its product marketing strategyu.
Bringing over twenty years of experience working with users and vendors across a wide range of vertical markets to Hyland, David focuses on complex technologies, such as data mining, business intelligence and electronic enterprise content management (ECM), and developing them into commercial solutions, delivering content managment, information security, data mining, Big Data and business intelligence strategy and implementation solutions to clients such as Hewlett Packard, Fujitsu, Canon, BBC, SAP, Alfresco and Cisco.
Prior to Hyland, David has worked as a market consultant and analyst at AIIM, and previously multiple IT consulting roles.