Private Cloud Security: How Your Data Security Changes in The Cloud

Jason Yaeger, Senior Director of Solutions Architecture at Otava, explains how data security changes for those hosted in the private or public cloud.

Cloud Computing Security

Presented by Senior Director of Solutions Architecture Jason Yaeger, Otava

Public & Private Cloud Concerns

I think security and resource allocation are our main issues with public cloud computing. You really don’t have any control over who is managing your firewalls, who is managing the resources that your virtual machines are sitting on.

So, if you look at the security offerings with private cloud hosting, they’re going to be much more geared towards physical server aspects. Whether you have 20 virtual machines or 20 physical machines, it’s going to be very similar how we think of security because we really don’t care what’s behind it – what we care about is making sure that each server is secured the same way as it would be in a physical environment.

And then from a resource allocation perspective, it’s on us to control your resources when it comes to RAM and CPU and disc usage. So, it’s very easy for us to guess, or calculate, not guess, calculate when you’re going to run out of your own resources. There’s not another client who could, all of a sudden, run some attack on somebody else’s equipment – which is what the public cloud is used for a lot.

It’s under your control. If you have a problem, we can identify it very quickly. We can remediate the problem you’re having and add equipment as needed.

Public vs. Private Security

So some of the differences between public and private cloud offerings, as far as security goes, are going to be:

• Your control over who sees your data – with the public cloud, you don’t know what employee at that company has access to your data. And it could be – typically these companies are very large, what controls do they have over the employees that can access your data. For a company that needs to be compliant in any way, that’s not going to be acceptable at all.
• You also don’t have any control over any of the firewall resources that you get. It’s all done in a virtual environment. So, the changes that are made to the firewall could affect you, even though you didn’t ask for those changes. Now, with a private cloud, as far as security is concerned, you control every aspect of it. Those firewalls are dedicated to you. The resources – you know who has access to those resources because it’s your company. We don’t, as far as Otava’s private cloud is concerned, we don’t access any of your data. It’s all on you. With a public cloud, you don’t get that.

Network Security Approach

Private cloud computing shouldn’t change your network security approach at all. You should think of your servers as either virtual or physical, but that shouldn’t change how you segment each one of their job duties. It shouldn’t change how you protect each VLAN behind your firewalls, from each other.

It doesn’t matter if they’re virtual or physical; it’s 20 servers. If you’re gaining some of the advantages of VMware or something like that by sharing resources, that’s a resource allocation – it shouldn’t compromise security whatsoever.

So we really don’t change any aspect of how we think of security when it comes to virtual environment because it should stay the same, whether physical or virtual.
 

Where Do You Host Your Private Cloud?

I think that the basis of what a company should look for when researching or doing whatever they need to do to find out where they should put their secure private cloud or if they should keep it in-house – one of those bases is going to be SAS 70 audit. Or, what it’s going to be known for now, is SSAE 16. If you’re going to put your secure private cloud somewhere and you don’t have that as a basis, it’s going to be very hard to pass any other compliances, whether it be PCI or HIPAA.

You’re also going to want to check with that services provider, if that service provider is not PCI or HIPAA compliant, do they have references from clients that actually have those certifications within their data centers somewhere.

So the basis for all of that is SAS 70 or SSAE 16, but even more so, if the managed service supplier is not PCI or HIPAA compliant, can they provide you valid references of clients that have passed that audit. That’s going to be key when finding a company to outsource your private cloud to.