Applications, systems and data all have different security thresholds. Even in highly regulated industries such as healthcare or financial services, there are cases in which virtual servers make sense. For example, web, mobile and social can be moved to a virtual server without the same degree of security concern as there is for regulated information or mission critical applications.
When deciding whether an application, product or service belongs in a cloud server, CIOs and CISOs must consider:
- Type of data or application;
- Service-level agreement; and
- Security environment.
The decision to move to the cloud, especially the public cloud, should depend on the sensitivity of the data and the level of security offered by the cloud provider. The final question should be whether the business value offsets the risk.
Cloud service providers (CSPs) are beginning to put a greater emphasis on security protections, with technologies such as clustered firewalls and intrusion detection and prevention systems (IDPS). In the cloud’s infancy, CSPs touted scalability, initial cost savings and speed. But the prospect of enhanced security in the cloud – indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop – has altered the conversation. Organizations assessing cloud service providers can now seek out CSPs whose security controls mitigate the risks of moving to the cloud.
When considering a move to virtual server hosting, CIOs and CISOs need to check for audits of a CSP’s security controls. Look for providers who have passed the SSAE (Standards for Attestation Engagements) No. 16 Type II audit, one of the most rigorous auditing standards for hosting companies. The audit confirms the highest level of service and reliability attainable for a virtual server hosting company. To be SSAE compliant, a hosting provider should offer SSL capability, enterprise-level, application level protection, hardware firewall, IP-restricted FTP, managed backups with 14-day retention, advanced monitoring and multi-level intrusion prevention.
In addition, an increasing number of CSPs are using the American Institute of Certified Public Accountants’ Service Organization Control process (SOC), the organization’s certification of controls with verification for cloud environments. Some of the larger cloud service providers now publish SOC reports on their security controls. Mandates from CIOs and CISOs may be required before SOC reports are published by all cloud providers.
Now more than ever, cloud service providers are realizing that managing security is fundamental to facilitating cloud adoption. Those cloud providers concerned about safeguarding their clients’ data and applications are taking steps to mitigate those risks with tight security controls and transparency regarding those controls.