Posted by: Fohlhorst
CIO, Cloud Security, private clouds
Cloud is a word that has helped to misclassify IT operations. Throw the word private in front of cloud, and now you really have some confusion, especially when it comes to security. The problem is that the word cloud implies a nebulous entity that allows information to be shared freely, while private indicates the exact opposite.
Today, social networking and cloud technologies are all about sharing information — much to the chagrin of those responsible for keeping intellectual property safe and secure. For those seeking to share information freely using cloud technologies, private clouds become an ideology of choice. However, private clouds can be anything but private, especially if they’re using the Internet as a connection methodology between sites.
In effect, this means that private clouds will always have some form of connectivity to the outside world. Of course, a properly configured private cloud will incorporate several virtual and logical carriers that are designed to prevent unauthorized access to the content contained within (that’s the theory, at least).
Nevertheless, those managing and attempting to secure private clouds have to ask themselves a few questions, including: How can I be sure my cloud is protected from intrusion? Is my firewall, VPN or other security technology effective? How can I remediate any security problems?
The answers to those questions would dictate how to proceed with a security ideology that effectively protects data contained within private clouds. For many, the answer comes in the form of layered protection. By combining the benefits of a stateful packet inspection firewall, encrypted access, secure logins and extensive auditing, compliance managers should be able to achieve effective protection to secure private clouds. Yet, some will find that may not be enough.
Luckily for IT managers, the security market is evolving, bringing new technologies to the market that help prevent, remediate or detect security issues. Of course, the best approach is to avoid a breach altogether — a task that may be impossible but is nevertheless a worthwhile goal.
Companies such as Palo Alto Networks are re-engineering firewall technology to be more effective, and are offering new products that seem to be a more effective fit within the cloud community. Naturally, Cisco, Juniper, Check Point and many others are also hardening their security products to better protect IT assets, all of which will help make it easier to secure private clouds.
Nevertheless, cloud security still needs to be validated and maintained, and those tasks usually require auditing, forensics, continual testing and effective monitoring. These tasks usually fall to compliance officers and security administrators. Luckily, the tools in these arenas are evolving as well.
For example, networking forensics vendor NIKSUN launched a forensics platform that promises to give IT managers full insight into network activity. Ideally, administrators could use NIKSUN’s forensics utilities to diagnose breaches, gather evidence and plug holes.
Keeping private clouds private demands that IT managers take a different look at how security is enforced across a network and how interaction between networks is monitored. This requires effective monitoring and analysis that goes beyond validating firewall and user account settings. The key here is to catch anomalies as they occur, or taking a more proactive approach to protection.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.