Although cloud computing is becoming more and more established in enterprise networking, people are still discovering what the cloud is. One very important element of that – in many ways, the most important element – is security.
Cloud computing can help businesses cut costs in any number of ways, but the information that cloud systems handle often has to be treated delicately, and clients need to feel that they have adequate security in place. So what do companies look for from cloud services providers?
Here are some of the biggest actual security features that cloud providers use to protect client data, and make systems effectively secure against hacking and unauthorized access.
Those who are shopping for cloud services would do well to look out for this term. It's a major source of user security for cloud systems, which often get deployed across many different business locations and individual access points.
Essentially, multi-factor authentication just means authenticating users in a combination of ways. Just like using a key lock and a deadbolt on a door, using multiple authentication strategies or factors creates better security for digital systems.
In general, multi-factor authentication involves combining different categories of security inputs. One category is the password, which is an intangible concept that someone creates and uses for access. Another category is a physical possession, such as a traditional key, a key card or even someone's mobile device.
A third category of security is called biometrics. This focuses on things that are inherent to an individual body. Unlike the above two categories, biometrics security components cannot be lost or misplaced. Biometrics uses things like fingerprint scanning, voice recognition and facial imaging.
How does multi-factor authentication work? It requires two or more of these different security components to work together, which makes systems much more secure.
For a concrete example of this, just look at how modern banks are protecting access for online banking users. It's becoming more common for banks to ask users for a password, as well as a key or set of numbers that they get from a text sent to their mobile phone. Here, the password represents the first intangible category of security, and the smartphone text component represents the second category, because in this case, the smartphone device acts as the "key" – it provides that pin number that the user enters. So, if the person isn't holding the smartphone, he or she is not going to be able to access the online banking system.
Identity and Access Management
This category of security is closely related to authentication, but it works a bit differently. With identity and access management, businesses have a way to assign access and privileges to individual identities that will be authenticated within the system. If multi-factor authentication is the method of access, then identity and access management is the assignment of clearances or the "permission vehicle" for letting people into the system.
Cloud services should incorporate this design, so that managers can think carefully about what information people need access to, and assign access based on those considerations. It's important that people who are doing the work can get into the system to do their jobs, but the system must also keep a lid on sensitive data and ensure that it's distributed to as few people as possible.
Encryption Standards and Key Handling Tools
Encryption is a core component of cloud security. In various ways, cloud providers encrypt data so that it can’t be stolen or leaked as it makes its way to and around the cloud. That said, each cloud company will have its own security encryption standard, where better encryption generally means better security.
But that encryption standard is not the only component that allows companies to get good security outcomes. There's also the issue of key handling.
Encryption systems typically use sets of encryption keys that allow for authorized use of the data in question. So somebody needs to have access to those keys, and use them appropriately. Many businesses have learned the hard way that there's a right and a wrong way to maintain access keys, and the idea of encryption key management was born.
Nowadays, businesses have choices: for example, Amazon Web Services offers a set of key management tools that many CIOs swear by. But some cloud providers also offer key management services of their own, because they understand how important it is not just to encrypt data, but to preserve the right kinds of access.
Cloud Encryption Gateways
It's also important to figure out how and when data is encrypted and when it is decrypted, because again, without decryption, valuable data can become useless to those who need to handle it.
Another big idea that has come out of this struggle is the cloud encryption gateway. A cloud encryption gateway is very much like a virtual private network or VPN system. It provides a secure tunnel for data from one specific point to another.
In VPN systems, data is often encrypted as it leaves a private network and makes its way through the public Internet. It's decrypted on the other side, which is why people refer to it as a "security tunnel" for data.
A cloud encryption gateway acts the same way, and the Grand Central Station where all data gets packed into production is the point where the information leaves the private enterprise network and enters the cloud.
The value of these kinds of security services is pretty intuitive. If there is a consistent means and method of encrypting data as it leaves the private network, that's going to serve as both an effective means of security, and something that helps with compliance if regulators start getting into the nuts and bolts of how a company handles its data.
Mobile Platform Security
Cloud security also needs to address that rapidly growing area of IT that so many of us are now using to do all kinds of computing and perform all kinds of transactions: mobile. The mobile arena is becoming more and more a part of our lives, and cloud services need to anticipate the challenges of keeping data safe while it's going to and from mobile endpoints.
Mobile strategy is done using a lot of the components described above. Cloud providers need to look at effective encryption, and they need to look at any vulnerabilities inherent in mobile operating systems or commonly used mobile applications. There's more than one way to do this, and it's something that an individual vendor should be able to explain to clients in a way that doesn't make their heads spin.
This is just an example of the kind of checklist that purchasers keep in mind when they actually go looking for cloud providers. As evidenced by hilarious new articles like The Onion’s HP spoof, we can't just go around saying, "I've got cloud" or "I use the cloud for (X, Y or Z)." We have to know what it is and what it does, and how it’s set up to give us better outcomes than traditional networking and storage systems.