by: Pierluigi Stella, CTO, Network Box USA, Inc.
I was at a CU conference last week, listening to a discussion on cloud security when an examiner (on the panel of presenting experts) astounded me by saying, “Simply don’t do cloud”. To say I was astonished would’ve been the understatement of the year. This is the equivalent of 15 years ago when someone said, “Simply don’t do Internet”. Or a mere three years ago, “Simply don’t do social networks”. Such an overtly simplistic approach doesn’t consider that businesses must keep up with the times; you can’t stay away from the evolution of communications in a bid to avoid its inherent security implications. I mean, do we stop driving because we could get into an accident? No, we accept it as a possible occurrence and take steps to minimize the risks. That same modus operandi should be implemented across the board, be it in decisions pertaining to new trends and technologies, or new ways of conducting business.
Quoting “simply don’t do it” is, simply put, unacceptable. Businesses are embracing the cloud because it simultaneously delivers savings; enables disaster recovery; and advocates business continuity. In virtualizing its servers, a business not only achieves costs sharing (a virtual server can easily be built in-house as well) ~ the cloud delivers is much more than that – shared servers, shared resource, but also implied business continuity, backup and disaster recovery. When you consider all the advantages of the cloud, it truly does put things into perspective.
Is this something that your CU shouldn’t consider because of security concerns? Absolutely not!
Approach the security issues as you would in your own physical network. Build your own virtual network, protected by your own virtual security device. Don’t skimp on security; ensure your protection includes a solid IPS; procure the same monitoring and reliable security you’ve established on your premises; ensure the same access rules are followed. Basically, treat it just as you would treat your physical network. And although all these may seem obvious, I can assure the reader that not everyone thinks of the cloud this way.
Many assume that security is in the hands of the provider; in fact, there’s a general misunderstanding about the separation of duties and responsibilities related to security. Your security is your responsibility, no matter where your data is, because the risk is still yours. So whilst the cloud is imperative to today’s businesses, proceed with eyes wide open. Firewall, IPS, access control are fundamental. Ensure your network is well separated from that of your virtual neighbors ~ in no way can anyone extraneous to your company have accidental access to your private data. Demand security certifications from your provider; this will guarantee physical security as well since you’re no longer in a position to ensure that yourself.
In a nutshell, adopt the cloud because your business needs it but do so properly. If you don’t, sooner or later someone from the board will question the monies spent on physical servers and IT when “the other CU where he’s also serving as board member” is saving so much by going to the cloud. Just remember, conduct due diligence.
Pierluigi Stella, CTO, Network Box USA, Inc.
Pierluigi worked for 15 years at IBM, accumulating international experience primarily in the oil and manufacturing sectors. With a sterling track record of successfully accomplished projects, an extensive technical know-how, and nine years as head of both the technical as well as customer service divisions of Network Box USA, Pierluigi has been helping financial institutions and health care providers develop their security policies, and has accumulated extensive experience and knowledge of security issues.
He is one of the founders of Network Box USA.
Pierluigi graduated magna cum laudae with a Masters in Electrical Engineering and has received numerous industry recognitions for notable career achievements, including two Excellence Awards for innovative design. www.networkboxusa.com