Thoughts on British ICT, energy & environment, cloud computing and security from Memset's MD
Cloud security is nothing mysterious and the same approaches that one takes when verifying any supplier’s integrity should be followed. You should ask questions like:
1) Will the data remain within the EU (for data protection)
2) Who in the supplier organisation has access to my data and what control are placed upon them?
3) What checks does the supplier make on its staff (eg. CRB checks etc)
4) Does the supplier have a certified ISO27001 Information Security Management System?
5) What other certifications or standards does the supplier adhere to (eg. ISO9001, Cloud Industry Forum Code of Practice, etc)
6) What level of resilience am I guaranteed and how is this achieved (eg. OpenStack cloud storage systems like Memstore keep 3 copies of every object giving a 99.999999% per year per object durability rate)
In the case of cloud computing there are some additional questions to be asked but again nothing really outside the remit of normal IT operations. For example, we are going through the CESG assurance process for the hosting of restricted content in our public cloud. To that end we have had to undergo a range of 3rd party penetration tests which, it should be added, conclusively demonstrated that our Memstore and Miniserver VM products have no security vulnerabilities.
The main threat to security, however, is rarely over the wire. If you are concerned about data theft then you should be concerned about “purchase key” attacks (ie. bribing someone), most probably from within your own organisation. When faced with such attacks it is often actually much better to have the data off-premise with a provider who has invested in tight security and monitoring of their own systems administration staff.
Off-premise has other benefits too. If I were to try and steal your medical records, for example, I know where to break in: your local GP surgery which has minimal security. If I wanted to steal the data from one of our customers’ servers, even if I managed to get past the data centre’s impressive defences I would then be faced with banks of thousands upon thousands of identical machines with meaningless labels like “SRV01403” on them and would not know which to steal.
Over-the-wire attacks are very easy to defend against, for the most part. The rising problem we see is not one of data confidentiality or integrity but rather availability due to the rise in distributed denial of service attacks (dDOS). Again, this is a strong-argument off-premise hosting since few organisations can afford the multiple-gigabit network uplinks necessary to defend against such attacks. Also we are seeing a steady rise of the role of organised crime in this area, rumoured to especially target gambling sites who they then extort money from (minutes of downtime can cost such operations a fortune).
There is an on-going cyberwar behind the scenes that most people are unaware of. We host 20,000 of Britain’s busiest Web sites. our automatic systems deflect 20 DOS attacks every hour, and our team have to deal with a major dDoS about once a day. Across our entire estate we experience about one attempt to hack into a custom server every second, but again those are harmlessly deflected by our firewalls and security patching without our customer ever knowing – just us doing our jobs. The breaches we do get tend to result from people having passsword like “d0nk3y”.
In summary, when using cloud services:
1) Apply common sense checks to validate the supplier’s security credentials.
2) Don’t be afraid of using off-premise cloud, it may be much more secure than on-premise.
2) Choose a good password! Here’s how.