Explaining cloud disappointments: DR readiness, data security
By Carol Ko 08-Jul-2011
2. Security in hybrid/ private cloud
Why is there a huge gap (down 55%) between the expected and realized goals of security in hybrid/ private cloud computing?
Tong: People are very familiar with public clouds. Private and hybrid clouds have only been around for a few years. This lack of familiarity raises issues around security.
At the same time, regulators are very cautious with new technologies, particularly where accountability to the public and the customer is in question.
"People who go into the cloud thinking of the huge cost savings on their IT budget discover that the savings are not really there (in the long run)."
-- Sam Tong, Symantec Hong Kong
Results of the Symantec virtualization survey show that while security remains one of the more prominent and visible concerns of cloud computing related technologies, in reality issues like cost -- the economic driver for most IT projects -- is actually even more serious. People who go into the cloud thinking of the huge cost savings on their IT budget discover that the savings are not really there (in the long run).
Isn't the private/ hybrid cloud model environment supposed to be "highly secure?" Suggest scenarios of likely data security breaches.
Tong: Because of its nature -- heavy dependence on virtualization -- most cloud components are invisible to the customer. This lack of component visibility makes for tracking and monitoring very difficult. Also by virtue of the virtual state of the cloud, users feel unsecure about their data and the privacy of their information sitting in the cloud. Similarly, customers are concerned about application and critical server security.
Have private/hybrid cloud adopters over-estimated the security levels of their cloud solutions?
Tong: On the contrary it is likely that many companies under-estimate the type of security they need for their cloud solution. While they have an overall understanding of why security is important, the lack of experience (awareness) on the technical considerations, and possibly experience attained from traditional on premise data centers combined make it difficult for them to find a suitable compromise.
Just as important, there are not sufficient adopters in their business category in their region/country to make for qualified decision-making.
How may security in hybrid/ private cloud computing be improved?
Tong: To improve the security of cloud-based services, providers must deploy the following tools and processes:
- Data protection and privacy
- Identity management like two-factor authentication
- Application and critical server security and protection
- Compliance requirements
- Security monitoring and auditing event management
- Vulnerability management
At the end of the day, virtualization and cloud initiatives are successful when implemented as mainstream, comprehensive IT initiatives. Because these involve all aspects of IT (server, storage network, application, etc) they can fail when managed as siloed special projects. Treat cloud as an IT-wide initiative with all departments included in the planning and implementation.
The virtualization survey clearly shows that there are gaps between what people understand about the cloud and what they eventually achieve with the cloud. Setting realistic expectations become paramount to ensuring that the objectives are set at the right level. Tracking the progress of the initiative from planning to execution is also very important to ensure success.