by Ross Dyer
March 2014: mark it well in your diaries because it just might come to be regarded as a turning point in the global adoption of public cloud computing services. It was the month when Google and Amazon embarked on a fierce price war, cutting cloud storage costs by almost 70%. Last week Google was at it again, announcing a 47% cut in network egress charges; a 23% drop in Big Query storage prices; a 79% cut in persistent disk snapshot costs; and a 48% reduction in persistent disk SSD charges.
With price cuts like these, the public cloud becomes even more attractive to enterprise IT managers, but what about those niggling security concerns?
Data security is always cited as one of the top barriers to greater public cloud adoption. After all, the benefits of pushing non-critical workloads out into a third party-run cloudy infrastructure are otherwise compelling. Lower IT maintenance costs, reduced overheads, enhanced flexibility, greater agility – the list goes on. But many IT leaders are concerned that sensitive data could be compromised if it leaves the corporate network.
It’s certainly true that in virtual and cloud environments risks do exist. There’s the risk of inter-VM attacks; of virtual machines being provisioned without adequate patching; of inadequate separation between tenants. Then there are worries over “security storms” – which can occur in virtual environments when traditional security tools are applied, overloading the system and in some cases bringing it to a grinding halt.
It’s encouraging to see that many public cloud computing vendors are getting better at addressing these security concerns. But responsibility for your data ultimately resides with you, not them. As such, it’s important to understand what’s covered by the provider, and what you should be taking care of.
What to ask
Due diligence is all-important in the public cloud world. Here are a few things you should be asking of a prospective cloud provider:
- Are there firewalls between customers?
- How often and to what standard are audits conducted? (ask to see the most recent)
- Is there built-in anti-malware and Intrusion Detection/Prevention Systems?
- What kind of ID management and access controls govern the CSP’s staff?
- How is data encrypted?
- How quickly are hypervisor patches applied?
- Is there an incident response plan in place in the event of an emergency
- Is it in compliance with HIPAA, SOX, PCI DSS, (or any other relevant industry regulation)?