Explaining cloud security requirements and providing a sound security strategy is an essential part of building customer clouds, whether they are private, public or hybrid.
Accelera Solutions, which delivers virtualization technology solutions to both commercial and federal customers, uses technology from Citrix, Microsoft and VMware to build on-premise secure private clouds and offer public cloud services to a variety of customers.
President and co-founder Joe Brown, who manages the sales and marketing team, sat down with us to discuss building clouds for customers and cloud security strategies.
Do your customers generally opt for private, public or hybrid cloud solutions?
Joe Brown: Most often today, our customers are using private cloud technology. We have some organizations working with us to develop hybrid cloud solutions so that they are leveraging some services from the public cloud, or just moving some of their infrastructure components to the public cloud. This is beginning to gain a lot of traction.
How does each of these models differ in terms of their cloud security requirements, and what are the basic components of a cloud security strategy?
Brown: Private clouds can rely on traditional security methods for the most part—firewalls, antivirus, etc., which are typical enterprise technologies. Those tend to be sufficient for private cloud, mainly because the data isn’t somewhere else. It is typically not a multi-tenancy environment.
Hybrid cloud tends to be a bit different in that you end up having part of your environment or data in a shared multi-tenancy environment, so you need a little more granular audit level capabilities on your data that is in the cloud. This way, you can very easily and quickly determine if someone has been there that shouldn’t be. Citrix Cloud Gateway provides identity management and user level auditing of application access and license usage.
With a pure public cloud environment, you have to use a whole different set of technologies that are not typically traditional enterprise security products. Those are provided by the public cloud infrastructure organization, so you are sort of at their mercy with the regards to the technologies they provide and the safeguards they provide around your environment.
How do various applications require different cloud security strategies? Are there some applications that require more stringent security approaches?
Brown: When you’re looking at hybrid and public cloud environments, they require a little more stringent security measures. With public cloud, you have to ensure that your data is not being tampered with on a fairly regular basis. You need to have auditable, automated controls around analyzing who is touching your data and how they are doing it. You have to do that with technologies that have, to a certain extent, ‘chain of custody’ capabilities. Being able to watch a file from inception to when it’s destroyed and determining who has touched it and what they have done to it becomes critical.
Symantec E-Vault is a great tool for tracking and auditing access and changes to documents from cradle to grave. It's designed like a document management system with automated check-in/check-out capabilities that is integrated into all file servers and email within an enterprise or in the cloud.
Does cloud security differ for government and/or healthcare?
Brown: Anytime you’re dealing with one of the verticals that has particular regulatory compliance requirements to it, like healthcare with HIPAA, there are certainly safeguards you have to put in place to eliminate someone’s patient data from becoming exposed to unauthorized people. So, regulatory compliance tends to drive that.
Anything around healthcare or privacy information, those are all challenging environments to be in. The federal government is included in that, with the FISMA requirements. They tend to be pretty challenging as well. Anybody who is in a public sector space—the Department of Defense, for example—they have increased levels of security requirements that others generally wouldn’t have.
How do cloud security strategies address regulatory compliance?
Brown: In the case of healthcare, cloud environments tend to leverage virtualization technologies to deliver information to people, and to a certain extent, increase the level of security by virtue of leveraging these virtual desktop or application technologies. They don’t actually transport the data down to the endpoint device. So, that tends to improve the security posture of applications that would otherwise potentially leave sensitive data on computers that people are using to access the patient records.
Virtual desktops and applications execute in the cloud, not on the user's computer. The user interacts with a remote session of the desktop or application and only screenshots, keyboard strokes and mouse clicks are transported back and forth between the user's computer and the cloud; therefore, all of the back-end data or documents never make their way down to the user's computer. This improves the level of security dramatically by eliminating possible loss or theft of data that is stored on the computer and improves the customer's data at rest posture.
What specifically needs to be offered in terms of cloud security?
Brown: You need to be able to make the customer feel comfortable with what you’re providing them. To do that, you have to be able to demonstrate your security capabilities in the cloud. You have to not only have the technology, but be able to explain it so that people are comfortable with it. The communication of the cloud capabilities is something that is critical for partners and providers to do.
What’s important about going to the cloud is doing a lot of upfront planning and preparation. Doing your homework and enlisting a pro to really help to get there in a smooth way. What’s important about the journey is making sure it’s done in a slow, controlled manner, versus rushing out trying to do it all at once.
How important is it for partners to offer cloud security?
Brown: Partners are definitely benefitted from using or improving cloud security. I think it is just an absolute requirement these days in order to capture business from larger customers. Partners are rewarded by additional customers and revenue growth.