Secure Cloud is a Reality

The move to the cloud has become a quick first step when looking to improve application delivery, performance and costs, yet in the back of everyone’s mind is whether or not the cloud can be secure.  

When it comes to the cloud these days however, security shouldn’t be a concern as long as you spend the time designing the right architecture for your application and infrastructure, understanding your security options and vetting cloud hosting vendors to ensure they have the ability to support your needs.

No matter where you deploy your applications, security must be a priority. It doesn’t matter if you are hosting your application in the cloud or on your own infrastructure, you need to be sure to design security into every part of the architecture. You need to have secure coding practices as part of your normal development process and execute scans on your code to ensure nothing mistakenly slips by.

Security should be considered something that is “built in” to your application. By taking this type of approach, you are always looking at security as a first class requirement of your application development process and something that is never forgotten. Security, however, is not something that can be assumed as being inherently known, it must also be taught and learned.

Development environments today even have plugins and built in capabilities to watch for and enforce secure coding best practices. Be sure to leverage them as you can never be too safe. That is why code scans are also important to ensure nothing slips by.

From the beginning of time, we have looked for experts to fill gaps in the skills we don’t have ourselves, and security is one of those areas that requires significant expertise. When thinking about your own organization, you likely have many strong capabilities, but you need to look at what gaps you have as well and be sure to fill them – either through hiring or through partnering or enlisting outside help.

You also don’t need to fill an entire capability area with a single person, department or entity. Instead, look at it as a set of responsibilities, each of which can be filled by different people as long as you can break up the responsibilities in a logical manner. For example:

- Physical

- Administrative 

- Perimeter

- Network

- Server

- Application Database

Within each of these areas or layers, you can further break down required capabilities and the owner is responsible to ensure that everything is covered by those who know it best.

Now think about the expertise you have and the expertise you need. Factor in the need for a team focusing on security 100% of the time, day or night. Not only are they looking at your systems, but they are gaining insights and experience from other companies by looking at hundreds of systems across industries and technologies.

That is what a good cloud provider can bring. They focus on securing your environment and those of their other clients. They have trained experts who live and breathe security, focusing on what security means, how to implement rules for prevention, what tools are needed to protect your systems and the actions if an attack may occur.

When looking for a cloud provider, you need to ensure that they understand security and have the full set of capabilities in place to help augment the needs of your team. Now remember, the cloud provider can bring expertise that you don’t have, and should be working as if they are an extension of your team.

The provider should bring with them capabilities that fill in the gaps your organization has in security knowledge and ability, but also a deep set of expertise that comes with being a security expert.  They should:

- Have a Security Operations Center (SOC), staffed with people around the clock to protect your systems and deal with any concerns that may come up at any time  

- Bring strong technology partnerships with them to provide security technologies that are not built in-house

- Help you to design your architecture to be secure, including making proactive recommendations for different software and hardware solutions

- Determine firewall rules and settings, and work with you to understand the unique requirements defined by your application

- Provide 24x7x365 monitoring, because you never know when an attack may occur.

- Supply automated patching of operating systems and other key components of your systems.

- Have audit experts ready to work with your team if you are undergoing, or preparing to undergo, a security audit

- Be willing to sign a Business Associates Agreement (BAA). A BAA is a contract between a HIPAA covered entity and a HIPAA business associate (BA). The contract protects personal health information (PHI) in accordance with HIPAA guidelines

The provider should also undergo audits of their own to ensure that both their data centers and their internal processes are secure, and meet different regulatory requirements.  These may include:

AICPA SOC3 - SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, processing integrity, confidentiality or privacy.

PCI DSS Compliance - Service providers that store, process or transmit cardholder data must be registered with Visa, and demonstrate PCI DSS compliance. PCI DSS compliance validation is required every 12 months for all service providers. Inclusion on the registry indicates that the service provider successfully validated PCI DSS compliance with an on-site assessment, based on the report of an independent Qualified Security Assessor (QSA).

TRUSTe - TRUSTe powers trust by ensuring businesses adhere to privacy best practices regarding the collection and use of personal information on their websites and apps. If you see the TRUSTe Certified Privacy Seal on a website or app, the company operating that property has met the comprehensive privacy certification requirements established by TRUSTe.

The cloud can be secure, and if you choose the right cloud provider, they can help you and your systems be more secure than they would have been even within your own data center. The right providers bring expertise and experience that a single person within your company may not have, and sees security risks every day by working with many companies and systems. In reality, just like you live and breathe your business, they do the same for security.

When choosing a provider, you must look at their security policies, provided capabilities, certifications and the role they will play in securing your application. The application is yours and you will be ultimately held responsible, but if you can find a provider that will share that responsibility, bring you added expertise and help guide you to a more secure environment, you will be well ahead of the game.

If you have any questions or would like to chat further about anything related to cloud hosting, please feel free to shoot me an email.

And if you are looking for a cloud hosting option that understands agile software development, I’d be glad to talk about that as well. At INetU, we take a consultative approach from the beginning, ensuring that your systems are architected for performance, reliability and the industry’s highest level of security. Each of our customers is assigned a Chief Hosting Officer who proactively supports your systems for today with an eye toward your future business needs.

We treat your business as if it was our own. Which it is, because we are hosting your most critical resource.