SINGAPORE, 5 JULY 2011 - Singapore IT leaders lead the global cloud computing adoption trend, with over nine in 10 enterprises using the cloud today in comparison to eight in 10 of global enterprises, according to cloud provider Savvis' managing director of Asia, Mark Smith.
However, 59 percent of Singapore enterprises do not have a formal process in place for assessing the security practices of their cloud provider, estimated Smith. In the following Q&A, he shared details on how enterprises can evaluate their vendors.
How does Savvis' deal with cloud security?
A recent independent study commissioned by Savvis that surveyed global IT decision makers showed that the biggest barrier to cloud adoption is security, especially when it comes to adoption of mission critical applications in the cloud.
Savvis takes cloud security extremely seriously and built enterprise-class features and security into our cloud architecture from the onset. Unlike many cloud providers, we have undertaken independent application code reviews, penetration testing and performance testing to demonstrate the high grades of security and performance of our cloud services.
Can you offer some tips on evaluating a cloud provider?
It helps C-suite executives to answer questions such as:
1. Security Profile per Compute Profile: Can you define security policy around a group of compute profiles?
2. OS Management: Does the cloud provider harden its operational systems and manage the availability of the server operational systems?
3. Resource Management: How does the cloud provider allocate, manage and plan around resource utilisation?
4. Data Security: How is data at rest secured? How is data in transit secured?
5. Identity Management: How are user identities managed in the cloud environment?
Also, evaluating the security practices of your cloud provider should be performed annually to reassess controls.
What are some of the evaluation points that users miss out?
From my experience, I have seen that most OSes are quite vulnerable from the moment they are deployed. Additionally, IT teams should pay special attention to their firewalls - some firewalls are limited in their protection capabilities or reliant on OS-level firewall rules that must be manually configured. The security solution at the perimeter and server tier should consist of state-full packet inspection firewalls.
Another simple checklist item that easily gets left out is the physical security aspects of the data centre - like access to and environment of the computer rooms. It is critical that these security aspects stay consistent year-long.
Sign up for Computerworld eNewsletters.