Photo by Suzanne Gell.BCX's Julian Liebenberg says your existing security measures don't need to change when infrastructure or software services move into the cloud.

One of the hardest things to get your head around, when considering moving some of your applications or infrastructure into the cloud, is the question of security.

Surely, common sense dictates, it’s safer to keep your servers, applications and data securely on your own premises? Not necessarily. In fact, some proponents of the cloud argue that buying services rather than servers can be more secure.

Let’s take physical security first: how vulnerable is your infrastructure to floods, fires, theft and catastrophic hardware failures? Unless you’re in the top echelon of South African corporates and running your own data centre, the answer may be scary.

In this, as in other things, economies of scale matter. A specialist data centre serving scores or hundreds of clients can afford to invest in far better physical security than your average business ever can.

Once you leave physical objects behind and concentrate instead on your applications and data, the mental map of your organisation needs to change. The logical boundaries of a business have nothing to do with office walls. Instead, they’re all about firewalls. If your data is secure behind your own firewall, it doesn’t matter whether it’s physically stored in Johannesburg or Jakarta.

Herman van Heerden, New Order Industries, says passwords are still a problem.

And here again, cloud service providers benefit from economies of scale, being able to afford specialist skills and knowledge, as well as raw computing power, not available to the rest of us.

“When you move to the cloud, your security gets better and costs less,” says VMWare Southern Africa regional director Chris Norton. “Consider anti-virus scanning: the bigger the organisation, the longer it takes to scan every machine and the more productivity is lost. It’s an overhead that larger cloud service providers can factor in more easily. We have protection at the level of the physical hardware: we can stop a malicious attack before it even hits the operating system, with less overhead.”

VMWare is also, says Norton, “working with security vendors to develop appliances to lock down and secure the infrastructure in third-party environments, including firewalling, attack protection and virus protection.”

Then there’s the fact that the rules of providing security don’t change when systems move to the cloud. “There is a whole set of global standards against which we can measure our security,” says Albie Bester, Microsoft’s cloud business development manager for South Africa. “We’re not starting from scratch; all the basics of providing a secure IT environment, with the right physical and logical access control and security, still apply.”

“We have seven layers of security,” adds Bester, “from physical access control at our data centres through to firewalls, data encryption, and the rest. We’ve learned a lot from our own experience of cloud services like Hotmail and Windows Update. There’s no site on the internet with anything of value that doesn’t get targeted, and we’re always trying to stay one step ahead. Complacency is your biggest threat.”

It’s also important, says Bester, to ensure that cloud service providers not only have great security procedures in place on paper, but actually enforce them.

“If you don’t enforce your procedures they’re worthless, and if you don’t have frequent independent audits, all you have is good intentions,” he says. “But if you do it right, any organisation that measures their current data centre will see that they can get better security by moving to the cloud.”

Nothing about existing security measures needs to change when infrastructure or software services move into the cloud, says Business Connexion’s general manager for services Julian Liebenberg. “Your perimeter security stays in place, your governance rules stay the same, you still have the same antivirus protection – it all stays intact,” he says.

Lock up your data

What does need extra protection, he says, is data. “Any organisation that is going to be entrusting data to the cloud needs to insist on very strict data security SLAs,” he says. “Encryption is popular, but not adequate if you’re only getting session encryption; you need to encrypt the data where it is being stored as well. It should only ever be unencrypted when it’s in authorised and legitimate use.”

Accenture’s Willem Thompson adds that companies should plan carefully before moving any data into the cloud.

“You need to decide exactly what you will move, and what you won’t. Then it is your responsibility to put the right policies and procedures in place to protect that data. The vendor doesn’t know what data you are moving, or how important it is – that is the client’s responsibility.”

BT Global’s Todd Schoeman believes the data risks are significant and need to be carefully considered.

“If you put your corporate data into a service provider’s network, you might lose control of it. There is a governance risk involved. “Banks, for example, will never put their customer’s credit card details into a cloud; they need to be able to control the data security absolutely.”

Finally – but critically – where your services and data reside has no bearing on one of the largest security risks of all: people.

“The easiest way to hack a system is still to pay someone for the passwords,” says Herman van Heerden, executive director of New Order Industries. “Things aren’t any different in the cloud. You still need to control access to your system, from the inside and from the outside, and to monitor that access in real time, or as close to it as you can get. Your security needs to be baked into your systems from the start, regardless of where they are.”