Fear Factor: Why Security Is Still The Cloud's Biggest Hurdle


CLOUD PROVIDERS STEP UP

Some of the biggest names in cloud computing say they're doing everything they can to address companies' security concerns.

"At AWS, security is our No. 1 priority," Terry Wise, head of the worldwide partner ecosystem for Amazon Web Services, said in an email interview. "We will drop anything we're working on if we think there needs to be work done to fortify security further."

AWS uses traditional security strategies and techniques plus unique approaches it's developed over the years, he said. The company's security measures include strict physical access control to its data centers, network monitoring and application-level services such as AWS Identity and Access Management. In response to customer demand, AWS has invested in certifications such as ISO 27001, PCI and HIPAA compliance, Wise said. AWS filed documentation with the CSA's STAR last summer.

Verizon Terremark prides itself on going "above and beyond" what security-conscious customers ask for, and has certified its infrastructure against a number of standards, including ISO 27001 and PCI, Omar Khawaja, managing principal of global security, told CRN. The company also is a member of STAR.

One way for organizations to overcome data continuity and retention issues is to leverage the cost benefits of a multitenant architecture in which all organizations are sharing compute resources, but also set up a dedicated environment for systems that store sensitive data, said Troy Garrison, vice president of cloud experience at Verizon Terremark. Co-located facilities are typically provided by large cloud service providers, enabling organizations to take a more hybrid approach, isolating sensitive systems and setting up a more hardened environment, he said.

A hybrid approach can help address the risk of data seizure. If the FBI seizes servers from another company as part of an investigation under the U.S. Patriot Act, organizations that established hybrid environments for their more critical data would not be impacted, Garrison said. Verizon Terremark also provides data centers in other countries to help companies meet data retention laws in Germany, Denmark and France, for example. Customers can choose if they want multitenant firewalls and load balancers. Logs are collected and monitored by Verizon Terremark employees, he said.

"Every year the issues have become less and less of a problem," Garrison said. "We now have a large security practice and we alleviate most of the security outside of the comingling of data; we do not participate in a flat public network."

As for the ability of customers to audit, it depends, Khawaja said. "At the end of the day, we need to make a risk assessment. There are certainly parts of the infrastructure that are shared by multiple customers, so what we can't do is allow a customer to engage in an assessment activity that could cause undue risk and potentially harm another customer's environment and its availability," he said.

NEXT: Solution Provider Opportunities