Integris Credit Union is no stranger to cloud computing, but it treads carefully. The financial institution based in Prince George, B.C., keeps member and other data on a private cloud. As information security officer Bryan Simon explains, all of this material resides on in-house servers.
Using software from Palo Alto, Calif.-based cloud infrastructure provider VMware Inc., Integris has virtualized those servers. Among the benefits: It can run several virtual servers on a single machine and move them from one physical host to another when servicing or replacing hardware.
As happy as it is with this private arrangement, Integris stays away from public cloud services such as those offered by Amazon.com Inc. and Google Inc. "The data on our members and financial information is of high value and importance," Mr. Simon says. "We have a huge reputational risk when it comes to the security of that data and where it resides."
For public cloud services, there isn't much guidance in Canada about how privacy laws should be interpreted, Mr. Simon says. Second, Integris members may not want their financial information spending time in foreign data centres. Third, using a public cloud means sharing a server with other tenants.
"How are you impacted as a customer if the other person on that server is served a search warrant, for example, or is the subject of an investigation and the data needs to be confiscated offsite?" Mr. Simon asks. "There's the potential for our data to also go with that."
For organizations large and small, cloud services present a variety of security challenges. Besides asking vendors some tough questions, it's important to remember that standard security measures may not work on the cloud.
Integris need not worry about other cloud tenants, but it still must fend off hackers and viruses. "Traditional security products that you might have in your environment don't always play very nicely in a virtual world," Mr. Simon notes, citing network intrusion detection sensors.
But safeguards such as virus protection and firewalls do translate, he says – especially when they're tailored to virtualization. To help hold the fort, Integris is rolling out Management for Optimized Virtual Environments (MOVE) AntiVirus from U.S. computer security firm McAfee Inc.
Choosing between public and private cloud services – or going with a hybrid of the two – often comes down to sensitivity of data. There's no right answer, says Rafal Los, the Chicago-based chief security evangelist for HP Software, the enterprise software arm of Hewlett-Packard Co.
"Public cloud may be good for something; private cloud may be good for something else," Mr. Los says. "It's a risk-based decision based on what the end user is comfortable with and what they know of their vendor. It requires due diligence and real risk analysis."
Part of that due diligence is understanding what the vendor provides and what you're expected to do yourself, Mr. Los advises. "Don't assume your carrier, your vendor or your provider is actually going to do any kind of security for you."
As for private clouds, Mr. Los points out that the risks aren't drastically different from having one's own data centre. "I keep hearing people say you have to rethink security for the cloud, and that's simply not true," he says. "You have to rethink security because you've been doing it poorly."
Perimeter-based security doesn't mesh with cloud environments because they're so elastic, Mr. Los adds. The cloud calls for data-centric security, he says: "You have to draw distinct lines around where your actual data is, so if you move your data, the security policy has to go with it."
EMC Corp., a Hopkinton, Mass.-based provider of cloud and other information infrastructure, maintains that enterprises will increasingly adopt a hybrid of private and public cloud services. For instance, a bank might keep a trading application private but use a public e-mail service.
On the public side, it's important to ask what access control the vendor has, says Michael Sharun, EMC Canada's Toronto-based managing director. "What do they have in terms of overall infrastructure to make sure information that's sensitive is not being accessed from outside?"
However, given the right cloud provider, information may be safer with it than inside the customer's four walls, Mr. Sharun contends. "If somebody's trying to break into your data centre and get to your data, you may not have all of the resources required to ward off that attack," he says. "Whereas if you're a large organization and that's all you do, you have a lot more controls in place and you can spot these patterns a lot easier."
Also, a cloud with multiple tenants isn't necessarily public. Chris Sator, chief technology officer for cloud and managed services at Toronto-based enterprise data and solutions provider OnX, says his company's secure community cloud is for members only. "That filters out a lot of the concerns that really are faced on public clouds, because not everyone has access."
Until recently, the challenges of managing identity made it tough for many organizations to move to the cloud, says Brian Contos, McAfee's customer security strategist and senior director for vertical and emerging market solutions.
But advances such as single sign-on, which lets customers access different cloud services with the same username and password, have supplied the missing identity piece. "Now that that part's been filled for the most part, there seems to be a relatively rapid adoption," Mr. Contos says.
Just don't rush into a relationship with a cloud services provider, he warns. "People really need to understand that going into these. It is a partnership. You're trusting them with potentially your most sensitive data, and you have to ask yourself: 'What is the risk to my business if I don't do my due diligence?'"
Special to The Globe and Mail