Cloud security: What you need to know and do

When it comes to protecting the security of your assets in a cloud environment, the core questions are: What do I need to know and what do I need to do?


These are questions I, together with Brian Foster from McAfee, will address in an upcoming session—“Do I need a private cloud?”—at the McAfee FOCUS Security Conference, taking place Oct. 18-20 in Las Vegas. While we can’t explore these questions in depth in this post, we can at least get started down the path.

Before we start though, we need to have a clear picture of the “asset” we are securing. If your company produces highly specialized, high value products, then the asset has high value and demands greater protection. If your company produces open source software, then perhaps a lesser degree of protection would suffice. With this in mind, consider the following:

1. Understand the services you are consuming and the associated risks.

Many organizations don’t have a clear view of the cloud services they are consuming and the risks those services pose to the organization. Let’s take a simple example: Are you using Gmail or hosted Microsoft Exchange for your company’s email? While both email services are reasonably secure, Exchange is generally considered to be more appropriate for corporate environments.

Once you have a clear picture of the asset, you will then need to make certain that the security of the services is appropriate.

2. Provide the proper security training for all employees.

Your own people are one of the keys to overall security, and one of the risks. If, for example, a single employee opens a malicious attachment on an email message, you could end up with a significant breach in security.

This reality points to the need for ongoing security training and awareness efforts. When it comes to the security of your systems, applications, and data, all employees are on the front lines.

3. Build a secure infrastructure.

Cloud security is a multi-layered problem that requires multiple layers of security at both the client and the data center level. Some of these layers overlap, such as network firewalls and intrusion prevention systems that help protect both client and server systems.

At the client level, you want to take all the usual steps, such as requiring all client systems to run anti-malware software that automatically updates itself on a regular basis and is optimized for the client to minimize system performance impact.

At the data center level, you need to put trusted compute pools in place to create a security foundation. This hardware-level security is enabled by technologies such as Intel® Trusted Execution Technology (Intel® TXT), which protects IT infrastructure against software-based attacks. It does this by checking the consistency in behaviors and launch-time configurations against a “known good” sequence.

Complement this launch-time security with a well coordinated approach to security across your network, servers, data, and storage that helps you identify and stop attacks in real time. By connecting policies and controls across physical, virtual, and cloud infrastructures, your data center team can enable secure, elastic, on-demand services without compromising on compliance or jeopardizing availability.

While they may seem obvious, these simple steps are extremely important. If you haven’t fully covered them, you’ve got holes in your cloud security strategy.

We’ll talk more on this at the data center track session on Oct. 20 at 2:30 p.m. at the FOCUS event. In the meantime, push forward with your security efforts.