Join David Linthicum for an in-depth discussion in this video Cloud security planning, part of Learning Cloud Computing: Core Concepts.
- View Offline
- It's been my experience that security is the most important aspect of any cloud project. Unsecured clouds will fail quickly. Make sure you understand the security options, including certain security models, technology, and tools. Being proactive is the best defense, as we covered in the past videos. Make sure that you focus on monitoring and taking corrective action. It's the most important aspect of cloud security. Cloud security requires that we understand the very basics such as being reactive to the ultimate security solution where you can be more predictive, or spot issues before they become real problems.
Using this maturity to understand the differences between the basics, layered tools, and integrated tools, then being proactive and predictive. Note that just after using the integrated tools, that we reach minimum viable cloud security, which is good enough. Most enterprises, however, set the objective to be predictive, and thus, more secure. Deal with the basics first. This means that we'll set a foundation of security that provides a minimal amount of security that we need.
It's important that this is the foundation, else we may focus too much on the proactive and predictive stuff, and could be vulnerable at the primitive level. Understand that the maturity model presented in the last slide is progressive, in other words, take it in an orderly fashion. Be proactive, meaning that the heart of any good cloud security architecture and technology is the ability to spot issues before they become problems. By the time a hacker has access to your data, it's too late, but you can easily see how they progressed to the point and stop the attack before it becomes an issue.
This means that we should we should leverage security standards, and there are many, but should do so with productivity in mind. If using a standard not required by the law means that we're making the end users less productive, then perhaps we should not be using that standard. Security is as much about people issues as it is technology issues, and thus we need to focus on what roles and processes exist. For example, it's the job of the dBA, database administrator, to report strange activity on the database to the security administrators, so that the issue can be looked into.
If anybody takes the position that it's not their job, chances are clear indications of a breach will go unnoticed. This means that we're looking to improve unless there's a sound feedback loop that exists that allows cloud security admins to improve cloud security ongoing. In some instances, this could be moving to a new level of encryption for data at flight, or at rest, that's more secure and easier to manage.
- Types of clouds: SaaS, IaaS, and PaaS
- Identifying the data and applications to move to the cloud
- Migrating planning
- Selecting a provider
- Cloud security
- Cloud operations