The intersection of cloud and security is a timely discussion given recent revelations that a virtual disk image belonging to the NSA – and containing more than 100 GB of data from an Army intelligence project code-named “Red Disk” – was left exposed on Amazon Web Services storage. And unfortunately, this is far from a one-off incident. That kind of news is exactly what partners trying to assuage cloud data security fears don’t need.
How can you help customers do better? We caught up with Mike Bursell, chief security architect for Red Hat, to get his perspective. When speaking with customers, Bursell stresses that security isn’t just about breaches. Partners must also advise on data integrity, availability and more.
Channel Partners: In a recent survey, 74 percent of IT leaders said security concerns were a barrier to migrating to the cloud. Are these concerns valid?
Mike Bursell: The answer is: They may be. Companies are right to carefully consider the possible dangers of migrating to the cloud, but they should be aware that there may well be benefits as well. How many companies can afford to maintain 24×7 coverage of infrastructure health by experts in all of the systems that they are using? And what impact does infrastructure patching have on your day-to-day business?
It may be that cloud providers can help you here; this is their bread and butter, and a careful weighing of these benefits against the various risks may give you some surprises.
CP: Where does cloud security responsibility lie, with cloud providers or with the companies themselves?
MB: There are different types of security, and therefore different types of responsibility. When a company chooses a cloud provider, [it] needs to make that selection based on many variables — of which one must be security.
The first question people usually think about is confidentiality: Nobody wants their data leaking out! But what about integrity of data? Can the cloud provider assure you that no changes could take place to your data, or that it could not be deleted by accident? Equally important is availability. If I can’t get to my data, then it’s next to useless. So companies need to consider what questions to ask of their cloud providers, and what assurances they are willing to accept.
The bottom line is: Could your business line continue to run if your data was leaked, corrupted or lost?
From the point of view of companies, there is much that they should do themselves. The first of these is ensuring that their workloads are from reputable sources, patched and updated regularly. Maintaining authentication and authorization controls on applications is no less important when you are running them in the cloud than when you are running them internally; in fact, are the controls and mitigations that you have in place for internal applications equally effective in …