Small clouds: Security selection criteria
What security criteria should you use to select a cloud vendor that provides the web-based applications your small business or home office needs? Greg Machler has tips for making the right choice
By Gregory Machler
November 22, 2010 — CSO —
There are a variety of players positioning themselves in the cloud computing arena today. How does a small/medium business or home office user choose a cloud-computer partner? What small cloud security concerns can tip the balance in choosing a cloud computing partner?
Let's investigate the following security criteria: data encryption, redundant infrastructure, fine-grained access controls, and web application certification. First, home office and small/medium business users need critical applications such as word processing, spreadsheet analysis, and presentation tools. They also need email; data storage for pictures, videos, personal data, and small business data. Other tools they need to be in the cloud include publishing software, yearly tax-return software, POS (point of sale) systems, and small/medium business bookkeeping tools. How can all of this critical data be protected and recovered when necessary? (Related: Cloud security: The basics)
The cloud vendor should make sure that all sensitive data is encrypted. This encryption prevents cloud-vendor (like Google) administrators or internet-network provider (like AT&T) administrators from seeing credit or personal data when it is on the SAN (storage area network) or NAS (network attached storage) storage subsystem. The data should be protected in use within the application and at rest.
The use of redundant architectures within the cloud vendor enables quick user and/or recovery of data. It is very important that no email, small business data, tax return data, or personal photos be compromised, corrupted, or lost. It should be comforting to know that the cloud vendor's architecture is superior to current small/medium business IT infrastructures enabling simple data recovery. The small business often has data on a DAS (direct attached storage) drive or a small NAS drive which can easily crash. What about defining who has access to my data?
It is important to have very granular access controls to cloud client data. Only the small/medium business or home office user should be able to access their own data that is in the cloud. This data should be stored in such a way that corruption of another person's email or personal data will not impact others' email or personal data.
Also, web-facing applications (word processing, spreadsheets, tax data, etc.) should be certified periodically (once a year) so that we can be assured that our data is not phished. This certification indicates that the vendor applications are protected from all known cyber-attacks up to the end of a one-year period.
Currently Google and Microsoft are major players in small/medium business and home office cloud computing. Google has a huge presence in Gmail, their email product, and Google docs. Microsoft dominates the creation, update, and revision of word processing, spreadsheet, and presentation tools. [ed note: corrected.] Microsoft's products are not yet web-based solutions. This battle for ownership of the cloud pie is limiting adopting of cloud-computing as a whole.
In summary, users and small businesses need critical applications with web- user interfaces so users will only need the cloud for their services. The user needs cloud-based encryption and data recovery. The cloud Vvndor deploys redundant architectures to protect against large scale failure. The cloud vendor must provide fine grained user-based access controls defining who has access to the data. Cloud applications need to be certified periodically to ensure protection from cyber attacks. Finally, corporate competition is preventing full deployment of small office user and small/medium business solutions in the cloud.
Machler is an independent IT architect/marketing consultant focused on IT and product solutions that intersect both marketing and engineering. Reach him at email@example.com.
Read more about data protection in CSOonline's Data Protection section.