Modern field guide to security and privacy

What's in a cloud? Five key principles for secure cloud computing

Businesses can capture the agility and cost benefits of public cloud networks while keeping the security they enjoy on a private system

|
Tony Avelar / The Christian Science Monitor
Kirsten Davies, the deputy chief information security officer (CISO) of Hewlett Packard Enterprise, speaks on a panel at the second annual Beat the Breach event in San Francisco, Calif. Hosted by cybersecurity firm Invincea and the Christian Science Monitor's Passcode section, the event brings together top private sector executives with leading government officials in cybersecurity.

Businesses big and small have come to a tipping point in regards to cloud computing — either you are already utilizing some flavor of cloud services or you are evaluating them.  Businesses can no longer afford to ignore the agility and cost benefits of moving some of their workloads to a cloud environment, which is not to say they should move ALL of their workloads to the cloud. There are significant barriers that a company must overcome before embracing the benefits of the cloud.

The greatest concerns for a business migrating their workloads to a cloud environment involve information security and regulatory compliance, according to 451 Research.

Public cloud providers provide a great base level of information security, which meets the needs of some companies. By design, this security is for the “lowest common denominator” or one that meets the needs of the greatest number of customers most of the time. Because of this, there are still real security concerns unique to public cloud providers — ones that are difficult to address.

For example, how do public cloud providers work with an enterprise that has mature and established security controls? Does the business have to remap and revise their existing security and compliance model to adhere to the mandatory systems and controls of the public cloud provider such as a proprietary access control system? Deviating from the public cloud provider’s requirements is not often possible, even if the enterprise has more proven and stringent controls in place.

Similar concerns exist and impact every market, from financial services and healthcare to manufacturing and government. To meet these complex challenges, enterprises are looking for a hybrid cloud solution, which includes both private cloud and public cloud. This arrangement addresses security concerns while providing the advantages of a cloud environment including allowing enterprises to retain control of their technology infrastructure.

HPE has identified the five key capabilities necessary for securing a hybrid cloud environment:

Data-centric security: Protecting data is the core of security and compliance controls. Data needs to be secured at rest, in motion and while in use. It should maintain an index with a searchable data format after it is protected and the encryption should be multi-layered.

Dynamic infrastructure hardening: Just like on-premises machines, the cloud infrastructure needs to be updated and hardened to reduce attack surfaces. Traffic between virtual machines needs to be secured, and core operating systems should be patched and hardened to prevent hypervisor breakouts.

Monitor, detect and respond to breaches and security events: Businesses need complete visibility into all parts of their hybrid cloud environments. There must be a method to collect and analyze log data from multiple sources into a single location and format. The data must be meaningful and actionable—providing specific steps and actions for a coordinated response from security teams.

Continuous regulatory compliance: Compliance is critical. A cloud solution must adhere to a consistent set of auditable controls across the entire hybrid cloud environment. The model should be policy-based and include integrated tools that automatically check for compliance drift against common regulatory standards.

Shared access management: The hybrid cloud solution must also have a common method for shared identity and access management across all components. It should include a portal for administrative functions, as well as an integration point with the established enterprise directory services. Ideally, it would also offer a federated single sign on (SSO) for multiple cloud environments.

The advantages and benefits gained from using private and public cloud computing are compelling. The potential business consequences of not doing so can be devastating. Where security and compliance challenges may have been a barrier to cloud adoption, today, companies like Hewlett Packard Enterprise can help you address these concerns, allowing your enterprise to take full advantage of the benefits of cloud computing.

Chris Steffen is the Chief Evangelist for HPE Cloud Security. He is part of the HPE Helion team that promotes information security as it relates to cloud computing solutions.  You can follow him on Twitter at @CloudSecChris and can read his blog series on Securing Your Hybrid Cloud here.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to What's in a cloud? Five key principles for secure cloud computing
Read this article in
https://www.csmonitor.com/World/Passcode/2016/0302/What-s-in-a-cloud-Five-key-principles-for-secure-cloud-computing
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe