When evaluating the risks inherent in cloud computing for a particular data set or application, it’s important to start with how the enterprise interacts with the cloud. The answers to just a few straightforward questions could dictate the use of a particular cloud architecture, not to mention highlighting important security issues that must be addressed before cloud migration:
Does the application contain sensitive data? Sensitive data generally refers to data that must have its confidentiality kept intact. Common examples include financial information, medical records and proprietary intellectual property. Organizations also must consider the regulations to which they are subject. For example, an organization that maintains medical records is almost certainly subject to Health Insurance Portability and Accountability Act (HIPAA) regulations, which will affect its data security and privacy practices. Simply put, sensitive data needs greater protection than nonsensitive data. Thus, the more sensitive the data is, generally, the riskier it is to have in a cloud architecture (especially a public cloud).
Who uses the application? Is the application to be used by customers, business partners or employees? Where will these users be located (for example, anywhere on the Internet, within the enterprise only or on a few designated partner servers)? An application that’s going to be widely used is often a good candidate for migration to the cloud. An application that is used only by internal employees may be a better candidate for a private cloud deployment. Regardless of cloud architecture, any applications used only in particular locations (in the enterprise or on partner sites, for example) can benefit from firewalling and other controls that restrict access – preventing access by attackers and malware from other locations.
Does the organization need to transfer data between the cloud environment and the internal environment? Data transfer can significantly complicate cloud deployments, particularly if the organization conducts frequent, high-volume data transfers. For reliability, cost and other reasons, it may make more sense to keep such data and applications at the organization’s own facilities (perhaps in a self-hosted private cloud) instead of an externally hosted location. If a public cloud is used, IT administrators should factor in the overhead involved with securing the traffic — generally by encrypting the communication or passing the traffic through an encrypted tunnel.
Does the application demand high availability? In other words, does it truly need to be available all the time, with no scheduled outage windows? This may favor a public cloud architecture. If part of a public cloud has a systemic failure (due to such circumstances as a natural disaster, power outage or Internet outage), then another part of the same cloud at a different location could continue to make the application available. An organization might even want to use multiple clouds with different Internet service providers or electricity companies for additional redundancy.
CDW’s white paper “Protecting Cloud Data and Applications” provides even more insights on cloud security and application management. Also, you can learn more about CDW cloud solutions, by going to CDW.com/cloud.