Managed Dedicated Server, Reseller Web Hosting, Domain Names, Web Design, SEO - Version Next

Cloud computing has not yet taken over the server industry, and there are plenty who are

resisting all attempts. Nevertheless, the usage of cloud services and hybrid cloud

deployments has increased gradually, and anyone who uses dedicated servers and has some type

of web presence should at least take a look at it.

One of the many concerns system administrators, security experts, and free software

advocates have about cloud servers or software as a service (SaaS) is that the moment they

move their data to the cloud, it is out of their hands and under the control of a third

party. This is a valid concern.

Once another company controls the access to and delivery of your data, you are at the whims

of their shareholders. The moment they decide to pull the plug on a project or (even worse)

have their plug pulled by bankruptcy, government seizure, or any other unfortunate event,

you may be left with nothing.

For cloud technologies that use free and open source software, it may be rudimentary to

export data. For cloud services that use proprietary data formats and closed source

software, you may have no way to convert data to a useable format when moving from one to

another. For that reason, it is important to investigate the company’s policies and software

user agreement ahead of time, before you possibly put yourself and your business in a

compromising position.

Thousands of websites and millions of pieces of private data are increasingly in one big

cloud, where some of the old rules of data security are out the window.

What’s at risk?

Take the example of credit card data. Most of us don’t think twice about saving account

numbers and security codes into our online shopping profiles. The Payment Card Industry (or

PCI) is a global information security standard established by a consortium including Visa

Card, MasterCard, American Express and Discover, that places specific requirements on the

operational infrastructure that handles high-risk data like credit card information. If an

infrastructure doesn’t conform to any and all PCI regulations, then it’s not PCI compliant.

And because cloud infrastructure is so vastly different than that what PCI was written for,

most cloud service providers are in fact, not PCI compliant.

How a cloud service provider encrypts client data is also key to security. According to

Forrester cloud analyst Chenxi Wang, cloud data encryption can be scattershot. Some services

encrypt their data; some don’t. For those that encrypt, it’s worth figuring out whether the

encryption is strong enough, whether the physical server that stores your data is entirely

encrypted (ie. is all client data encrypted the same way?) or whether the service provider

offers applications that encrypt your data separately and with different keys than other

stored data.

That last concern stems from a popular cloud practice: some cloud providers store data from

multiple clients on the same physical server. So, Client A may be running one “virtual

machine” and Client B can be running on another “virtual machine,” but both could be

physically running on the same server. If an experienced hacker gains access to Client A via

a security hole, it’s not outside of the realm of possibility for the hacker to gain access

to Client B’s data as well. Even Client A, if they’re up to no good, could become the

culprit.

“The risk of that, depending on how the cloud provider, may be minimal, or it may be quite

substantial.” admits Wang. “From the absolute security stance, there is a risk that the

other company who happens to rely on the same infrastructure may be able to utilize some

covert terminal, or some kind of interface that’s available to actually hack into your part

of the infrastructure.”

Another concern is the use of the third-party companies for various components of a cloud

service. Cloud services are relying on third parties more and more.

We know recent example where third party usage has gone horribly awry. For back-up purposes,

client data is often written to tapes or drives, but after a given period of time, most

back-ups need to be destroyed. Recently, an unnamed cloud provider sent their back-up tapes

to a data disposal company. The data disposal company lost all the tapes, and thus all the

cloud client data on them.

“The cloud provider was put in a very bad situation because they don’t have any assurance

the data was actually destroyed.”