Securing public and private clouds

Organisations need to match threats and business demands with the right security approach

The use of public and private cloud technologies raises several security challenges, but none that are impossible to meet. In order to effectively and efficiently secure cloud computing, organisations need to match threats and business demands with the right security approach.

The term "cloud" is overhyped, so let's first get some terminology defined: Gartner defines "cloud computing" as "a style of computing where scalable and elastic IT-enabled capabilities are delivered as a service to customers using internet technologies."

“Private cloud” is similar but where the customers are internal to the business.

Just as there is no one-size-fits-all approach to business success, there are different approaches to using IT for business gain. Gartner has long defined organisations as Type A, Type B or Type C, essentially based on how aggressively an organisation uses technology. Similarly, even organisations in identical industries often have very different levels of risk tolerance and very different approaches to security. Because of this, for Type C organisations, the cost advantages of cloud computing will often cause them to use cloud computing earlier than Type B organisations.

Gartner identifies three broad styles of security that will be applied to public and private cloud computing services.

1: Depend on security built into the cloud infrastructure

Just as operating system vendors, such as IBM, Microsoft and Sun, built some security functions right into their operating systems, and switch vendors such as Cisco did the same in network infrastructure, the vendors of virtualisation technologies for private cloud (such as Citrix and VMware) and the external cloud service providers (like Amazon and Google) will build security technologies into their cloud "operating systems". VMware and Google have already acquired and integrated security. For many smaller organisations and those where security concerns are not a high priority, relying on the built-in security capabilities of the public or private cloud infrastructure will be good enough - as long as there has been some third-party validation of the effectiveness of those security controls. Typical use cases will be:

• Applications that only store or process public data
• Small businesses that are not subject to compliance demands
• Private cloud applications that are well-shielded from external access.

For this scenario, organisations need to focus on the transparency of the security services built into the cloud platform and the quality (and freshness) of the third-party security audit.