Data security and cloud adoption myths, realities and the future. Prepared By
Information security concerns arguably remain the single biggest barrier to the adoption of cloud services. It is often said that perception is everything, but to understand whether these concerns are based on reality it is worth breaking down the term cloud before discussing security. The Cloud Cloud is a relatively modern term used to describe the long-standing provision of hosted IT processing, in fact CCE has been providing a hosted service since 2006. It could be reasonably argued that the term cloud is in itself unhelpful as the image of a cloud is a sort of generic, fluffy diagrammatical excuse to avoid detailing the intricacies of a wide area network linked to complex hosted services. The term cloud has become the darling of technology marketeers everywhere; it has been adopted by the media and now even by the government to describe anything and everything that is not on premises. As a consequence, due to the vast array of services and solutions that cloud covers, many misconceptions and confusions have slipped in, particularly when attempting to differentiate the offerings. Whilst benefits such as agility, scalability, availability and potentially cost savings are common to all cloud services, perhaps the most important line to draw in the sand is that between Private and Public cloud services. Public Cloud Public cloud is defined as a multi-tenant environment, where you lease a service in a cloud computing environment that is shared with a number of other clients or tenants. Public Clouds typically deliver a pay-as-you-go model, where you pay by time or number of users purely for the resources you use. A classic use of this would be for a test & development environment where servers and resources are spun up and down on a regular basis. Well known Public cloud services include Microsoft Office 365 and Amazon Web Services. Typical Public Cloud features include. No long term contracts The pay as you go model is commonly used to acquire services on demand. Shared services due to the multi-tenant environment, the service you use whether hardware or software will often be the same hardware, storage and network devices as used by other tenants subscribed. Compliance with generic standards is possible but individual requirements are unlikely to be met. Control Typically, many of the controls are passed over to the service supplier. Whilst the customer can retain user access controls, software updates, hardware performance and maintenance outages are amongst the areas often in the control of the supplier. To many prospects, these are the biggest obstacles to engaging with a cloud service supplier. Private Cloud Private cloud services are typically single-tenant environments where the hardware, storage and network are dedicated to a single client or company. Co-location services are perhaps the most common form of private cloud arrangements whereby a business hosts their own
hardware and data at a data centre taking advantage of the service providers superior power, security and environmental facilities. Typical Private Cloud features include. Security - Because private clouds are dedicated to a single organisation and cannot be accessed by other clients in the same data centre, the hardware, data storage and network provision can be designed to provide high levels of client defined security. Compliance - Because the hardware, storage and network configuration is dedicated to a single client, compliance such as ISO, PCI and SOX are much easier to achieve. Bespoke configuration Hardware provision including processor, storage and network performance, can be specified by the customer. Hybrid - a business system which can be split between an on premises database and a cloud database, perhaps for data protection or performance reasons. This is not available in the Public cloud. High levels of security performance and compliance are all achievable in the cloud as long as the appropriate service model is selected. CCE Approach: the difference. Our Private Cloud is designed to deliver an end-to-end IT Service; at the core is the CCE Network which we, as an Internet Service Provider (ISP) have built. The network has no single point of failure and connects to our private and secure co-locations held within carrier data centres. The network has been running for around 10 years and has over 20,000 end points all monitored by our 24x7 UK based operating centre staffed by our own engineers. We use 3 data centres connected by to each other by 10Gb fibre links to ensure that we are always connected and able to continually replicate data and systems between them. Our co-locations hold large banks of Blade Servers running the latest VMware environment sitting on top of Enterprise Storage Ares Networks (SANs). They also contain resilient hosted telephone servers, dual firewalls, duel routes to the Public Internet and the Public Switch Telephone Network (PSTN). Further data protection and security is provided by the latest Symantec Anti-Virus and filtering services all supported by our in house 24x7 UK based team. CCE recognises that the low cost aspect of a Public Cloud service has an attraction to some clients for their non-critical work but they are worried about the security aspects as well as the location and distribution of their data. To obviate these problems, CCE, as an approved Microsoft 365 practitioner, offers its own version of Hybrid in that we are able to supply the functions of 365, but keep all client data in our private cloud, which is located within our secure U.K. based data centres.
Data Security It seems not a week goes by without another hacked headline relating to a well-known organisation being the victim of a cyber-attack and having its client data stolen. Compliance, fear of litigation and general reputation management mean that keeping client and employee data secure is of increasing importance particularly personal data which falls under the Data Protection Act requirements. This is about to take on even greater importance in 2016 when the new E.U. wide Data Management Regulations will be confirmed and published under the name General Data Protection Regulation or GDPR. The new regulations are potentially far reaching and, because they will be mandated as a E.U. Regulation, legally enforceable with the following headline changes: Stronger penalties for data breaches, ranging up to 4% of revenue Tougher requirements on consent (requirement to opt in) Enhanced rights for individuals (right to erasure) Data processors (including cloud service providers) will be held responsible for data protection This is the most significant development in data protection that Europe, possibly the world, has seen over the past twenty years and therefore unsurprisingly is designed to take full advantage of modern technologies and the way we work with them today and are likely to work in the future. In addition, there is a much greater emphasis on compliance following a widely held belief that business has not taken data privacy seriously enough previously. As a consequence, penalties are considerably harsher. The new compliance requirements are intended to spread a far wider net to include small and medium businesses. Although the details are yet to be finalised it is clear that cloud service suppliers face new challenges such as the right to erasure and a significantly increased responsibility for the integrity of data. One of the challenges for many businesses is the classification of data. Whilst the DPA only applies to personal data, for many organisations particularly when it comes to email, it is almost impossible to distinguish and separate personal from non-personal data. To ensure appropriate data security is in place the highest common denominator wins, and there is no choice but to apply a one size fits all approach resulting in secure but expensive services that may only be required for 10% of data. With the amount of data being captured, processed and stored growing exponentially the ability to classify accurately and therefore treat appropriately has to be an area for significant future development.
In summary, data security remains a barrier to cloud adoption and will become even more significant with the new Data Protection regulations therefor cloud service providers who adopt the right approach have an excellent opportunity to benefit from these developments. Businesses will be required to have greater understanding of the type of data they hold and what the appropriate protection needs are for their clients and employees. This better educated client base will realise it is highly likely that a good quality cloud provider will offer higher levels of data protection than the vast majority of on-premises facilities resulting in potential for significant increase in demand for cloud services. Some common cloud myths Myth 1 - Data is less secure in the cloud Perhaps the single biggest barrier to using cloud services is the belief that it must be less secure than keeping data on premises. The reality is that in the vast majority of cases security is enhanced rather than depreciated when using a high-quality cloud service provider. Sophisticated internal network infrastructures will have firewalls, proxy servers, DMZs and Intruder Detection Systems but unless they are a huge global conglomerate with deep pockets, it is unlikely that they will be able to compete with the level of Information Security sophistication that a cloud service provider has installed. Such providers are often certified to PCI DSS, ISO and ISAE standards. Myth 2 It is harder to comply with the Data Protection Act when using the cloud Many believe that having client or employee data hosted in the cloud makes it harder to comply with the DPA indeed, some businesses even believe it is a direct breach of the act. The reality is, that the Information Commissioners Office, the government body responsible for compiling and policing the DPA, recognise the requirement to use cloud services and issue detailed guidance on how to ensure you keep your data safe and comply with the regulations. What has become increasingly important is the need to apply the appropriate due diligence when selecting a third party cloud service provider. Myth 3 - Putting my data in the cloud means handing over control to the service supplier It is a common belief that once a cloud service is being used, control of the service, application and data end up in the suppliers hands. This is a good example of where the wide use of the term cloud can cause confusion when it comes to the granular level of control available depending on the service subscribed to. It is true that in a Public Cloud scenario, for example Office 365, the ultimate supplier of the service (in this case Microsoft) retain control over software updates and features including when they will update or change and impact the user. Other Public Cloud software as a service solutions retain similar controls.
In a Private Cloud scenario such as ours, it is very different. CCE offers a co-located solution whereby the service provided is infrastructure in the cloud, thus it is usual for our Clients to retain all control over hardware, software and data. Myth 4 On premise is an acceptable term in cloud discussions It isn t The correct term is on premises (important if trying to get the Institute of English Professors to use cloud services)