As one of the leaders in the cloud, Rackspace has amassed an impressive amount of insight on cloud, hosted infrastructure, hosted storage, security and more. The vendor also has one of the most informative blog series I’ve found when it comes to best practices in the cloud. This blog, The Many Faces of Cloud Security, is a great example. The author, Jim Battenberg, cloud evangelist for the vendor, shares the multiple points where solution providers – and cloud vendors – must consider “security.”
Physical Security. Often associated with retail, physical security technologies must be part of the plan when it comes to cloud. Cloud services providers should be held to high standards of physical security around their data centers and the infrastructure hosted within them. With those centers up and running year-round, that means physically securing the locations is a 24x7x365 endeavor. Make sure your provider can articulate how that is accomplished.
Data Security. This aspect of security in the cloud is where most folks can’t seem to agree. Not only does your cloud services provider have a responsibility, but as a solution provider so do you, as well as your customers. Jim writes: “Rackspace has implemented many controls to manage the risk of compromise to our internal networks and via the hardware and hypervisor layers and can also provide services and guidance on addressing those risks identified by the customer. As the data owner and the primary system administrator of their cloud solution, the customer is ultimately responsible for data security issues.”
Account Security and Access Controls. The never-ending challenge to security – cloud or otherwise – is the human element. That means access controls are just as important in a cloud solution as they ever were. That element of security requires an integrated approach that starts with end users who are educated about the risk of unauthorized access and escalates through to solution providers that take the time to develop and train on secure access control policies. Lastly, you need cloud providers that enforce those policies at their end as well.
Compliance and Regulation. Early in the cloud adoption curve, security was so untrusted that most businesses that were held accountable by federal privacy and security mandates couldn’t even consider cloud. Today, most cloud services providers, including Rackspace, have created a secure environment that meets those mandates, and they should be able to show proof of those systems. Jim shares that Rackspace has earned validation for the following compliance frameworks: ISO 27001, SSAE 16 and ISAE 4302 (previously SAS 70 Type II) , PCI DSS and Safe Harbor (export.gov). But he adds this last word of advice: “Of course, it is the customer’s responsibility to comply with relevant laws and regulations that impacts their data hosted in the cloud.”