Ask just about any client what one of the most important things they are looking for in a data center is and you will likely hear, “security” over and over again. Securing the traditional data center is a challenge unto itself but now many data centers are hybrid of traditional storage and cloud storage which complicates security immensely. Information Week describes the challenges faced in data center cloud security, a well as the strengths it will have moving forward, “Moving beyond traditional perimeter security into public, private, and hybrid cloud architectures stretches the capabilities of traditional security tools. It creates new security holes and blind spots that were not there previously. But cloud security is looking brighter by the day, and very soon cloud security tools will outmatch any type of non-cloud parameter security architecture. In many ways, cloud security is gaining in strength based on a seemingly inherent weakness. Cloud service providers are in a unique position to absorb vast amounts of data. Because large clouds are geographically dispersed in data centers around the globe, they can pull in all kinds of security intelligence as data flows in and out of the cloud. This intelligence can then be used to track security threats and stop them far more quickly.”
The problem is not a static one, it is a fast-paced, growing challenge. The more heavily the cloud is used, the more information it stores, the more security is needed but also the more potential holes in security there are. Security must scale at the same rate, or faster, than the growth of the data center. Because it is relatively new, and rapidly evolving, there are not clear-cut standards for cloud security in place. It is important for data centers to pay attention to what is happening in the industry and look to others, such as the U.S. government, for what is working in cloud security, which TechTarget elaborates on, “For example, cloud providers that handle confidential financial data should underscore their compliance with the Payment Card Industry Data Security Standard (PCI DSS) specification as proof of the integrity and security of their operations. PCI DSS does outline requirements related to cloud-specific aspects of security, stipulating that providers must segregate cardholder data and control access in addition to providing the means for logging, audit trails and forensic investigations. But the highly dynamic nature of most cloud-based applications — which often lack built-in auditing, encryption and key management controls — makes it expensive and impractical to apply the PCI standard to most cloud applications. Providers and enterprises seeking answers on cloud standards for security have found guidance from an unlikely source: the U.S. government. Though not usually perceived as a leading-edge technology adopter, the public sector has been engaged in aggressive security standards development efforts to support its Cloud First initiative, which requires federal agencies to select a cloud service for new deployments when a stable, secure and cost-effective offer is available. The Federal CIO Council laid out 150 cloud security controls for its Federal Risk Assessment Program (FedRAMP), which provides a baseline for common security requirements that agencies can use to verify that a prospective cloud provider supplies adequate cloud application security. Compliance will be validated by third-party assessment organizations. Using cloud-specific security requirements created by the National Institute of Standards and Technology (NIST), FedRAMP offers agencies a common set of cloud standards they can use to sanction a cloud provider. If the particular agency has additional security requirements, then the provider can build on its baseline controls to address these needs.” The a cloud is a cost-effective way for many data centers to scale to meet customers’ needs but security protocols must be in place to ensure that, as scaling occurs, data continues to be properly secured.
