Many businesses are hesitant to change to Cloud computing due to security issues. ROELOF LOUW, Cloud Expert at T-System SA says that it is for this reason that businesses should adopt an end-to-end approach, encompassing IT security, data protection and availability.
Cloud computing is predicted to be the future of the technology world, and analyst reports abound on the expected growth of the uptake of these solutions. However, security issues remain one of the dominant barriers with the adoption of cloud solutions. Many organisations are hesitant to migrate to the cloud in light of the ever-increasing number of attacks on cloud-based solutions as well as the risk of downtime cause by natural disasters and other issues in the regions where cloud data is stored. When making the transition to the cloud, it is critical to adopt an end-to-end approach that focuses on IT security, data protection and availability, enabling organisations to leverage the multiple benefits of the cloud while minimising the risks. Furthermore, it is crucial to factor in both the internal and external risks associated with cloud computing which too requires a holistic approach.
This in turn requires that all potential threats be identified, and structured protection mechanisms are put into place which go beyond technology and incorporate processes and people across multiple areas. There are 12 elements that should be considered to ensure the security of both data and applications when moving to a cloud platform.
1. Identity management
Identity management, including roles and rights, end-point security and access control, is a cornerstone of any ICT security solution, but is particularly important when it comes to the cloud. If employees can access business critical information, there is always a risk that this will be misused, and if outside persons can access this information the danger is even greater. Thus applying stringent identity management, security and access control on a need-to-know basis is a vital foundation component of an end-to end cloud security solution.
2. Secure communication into the cloud
With cloud services it is essential that data not be compromised when transferring between the user and the service provider. When data is sent over public networks such as the Internet, it must be encrypted to prevent access by unauthorised parties, to safeguard integrity and confidentiality. Secure remote access should be enabled using a Virtual Private Network (VPN). Security can also be enhanced using a Multi-Packet Label Switching (MPLS) VPN, which ensures that data streams sent by different users and services are strictly segregated. Before migrating to the cloud, organisations need to appraise their requirements to identify business critical applications, to ensure that necessary bandwidth, Quality of Service (QoS) and prioritisation are delivered to ensure seamless service.
3. Transparent contracting within the cloud
Cloud applications can be distributed across multiple data centres, and the availability, confidentiality and integrity of data exchanged by cloud services and distributed applications within the cloud must be protected at all times. Data can also be moved from one data centre to another in order to create back-ups or improve resource utilisation. More complex cloud offerings often integrate third-party services, which makes visibility and transparency into the value chain critical. It is essential to clearly specify in contracts which services will be delivered by whom, and who is legally responsible in the event of any issues.
4. IT systems in data centres
When deploying cloud solutions, additional security measures are required at the data centre. Cloud computing is based on multiple clients sharing the same hardware and software, therefore, it is important to implement mechanisms to safeguard systems, applications and data. This requires virtual segregation of users to ensure that they cannot access another user’s data and compromise the integrity of systems. Data should also be isolated in dedicated network storage areas, similar to hard drives, which are accessed by the users’ servers via the network. These should be connected in such a way as to ensure that customers can only access their own data, as though they had their own dedicated drive.
5. Protecting IT systems on the service provider side
To ensure the right level of security, mechanisms that protect systems, platforms and applications must be implemented at the data centre. In addition, there needs to be a secure link between the IT components stored at the data centre and the connection to the outside world. To ensure effective protection of the network segments, service providers need to employ two different types of firewall. Firstly, they require firewalls that perform stateful inspections of communications, ports and applications. Secondly, they need deep-inspection firewalls that can scan data transfer protocols for ‚”good‚” and ‚”malicious‚” queries. Further key mechanisms include proxy servers and reverse proxies that filter and convert both incoming and outgoing data traffic, shield sensitive information, minimise vulnerabilities and help make ICT more secure.
6. Data centre security
Buildings and hardware assets at the data centre require physical security as well as technology security, including physical access control and intrusion detection. Data centres must be constructed to enable the building to withstand natural hazards, such as storms and hailstones, potential physical sabotage and fire. The facility must be located away from regions that are susceptible to heavy storms, flooding and earthquakes, and must meet a host of other criteria to ensure smooth operations and customer data security. Data centre protection should also include alarms, fire detection, surveillance, vehicle monitoring and control, and extensive staff checks to prevent attacks from within.
7. Security management and secure administration
The human factor not only plays a pivotal role in the security of cloud services for users. It is also an extremely important issue for the service providers themselves. For this reason, providers should operate a dedicated information security management system (ISMS) which defines processes and rules for the effective management of information security. Cloud providers must also draw up rules that ensure employees meet security requirements and specify which users can access which systems and data and who is responsible for which operational and security-related tasks.
8. Service management and availability
Application downtime can be detrimental for business, particularly when mission critical systems are affected. As a result, organisations using the cloud must be involved in the definition of appropriate service levels. Service providers need to safeguard availability by creating redundant systems and backups that allow for system recovery following downtime.
9. Contracts, process integration and migration
The scope and type of ICT services must be defined in a written agreement.
Requirements must be outlined and any necessary changes need to be implemented and monitored. Organisational structures and processes must be in place to enable a rapid response to security incidents or threats. Services must be clearly defined in a service level agreement (SLA), and mission critical applications need to be identified to ensure the correct levels of availability and security. Documents should also outline emergency procedures, including the sequence in which systems will be reactivated following failure or downtime.
10. Security and vulnerability management
To avoid migration issues, any weaknesses or faults in infrastructure must be identified and addressed from the outset. This involves comprehensive testing and risk assessment. Security is a central issue across the entire lifecycle of an ICT system. This begins with documentation and correct management of configuration data. In addition, installation and configuration processes are key concerns. The proactive management of vulnerabilities and other developments designed to offer visibility into and enhance security and eliminate breaches in advance are also critical.
11. Security reporting and incident management
Visibility into the degree of security achieved is critical for mitigation of business and legal risks with regard to the impact on IT-supported business operations and potential compliance breaches. Security reporting provides this visibility, offering insights into the effectiveness of the protection mechanisms in place. Analysing this data enables measures to be modified, replaced or enhanced as required, leveraging the information available for proactive corporate risk management.
12. Requirements management and compliance
Users must comply with legal, regulatory and industry-specific requirements, including in-house policies, contracts with customers, suppliers and partners, and other obligations. Users need to verify that their cloud service provider can meet these imperatives. Data protection legislation varies widely from country to country. Organisations also differ in terms of processes and potential threats, and the extent to which security incidents would negatively impact the business. A strong cloud service provider partner should offer a secure and assured route to the cloud, aligning it with the company’s specific business context and requirements.
In light of the ever-growing threats, IT security is becoming increasingly complex, costly and time consuming, and increasingly complex technical requirements and rising costs of ensuring effective security are set to make outsourcing and cloud computing ever-more popular alternatives to in-house operation. However, organisations need to select cloud service providers carefully, in order to ensure services are delivered in a secure, compliant manner and that risks both internal and external can be minimised.
* Follow Gadget on Twitter on @GadgetZA
email this to a friend tt tt printer friendly version
Telcos want one face
The investments that telecommunications service providers are making in reshaping their online properties into customer-centric portals reflects the growing maturity of self-service and Internet uptake in the industry, says KEVIN MELTZER of Consology.
Many telcos around the world are overhauling their websites to offer customers more holistic portals that give them a single point of entry into the organisation.
They are doing so because they recognise that service will be a key point of differentiation for their businesses in a market that is becoming increasingly competitive. They have also realised that they have a major opportunity to shift customers away from expensive contact centres towards low-cost electronic channels.
In the past, most telecommunications operators ran multiple sites across multiple domains and subdomains. These web-based properties were built around the way that telcos structured their own businesses rather than around the needs of the customer. But we are now seeing the leading operators take a more user-centric approach to the way that they design their web and mobile sites.
This coincides with a change in the industry from slicing customers into numerous segments and then serving them across a range of functional and product areas. For example, many operators split customers into prepaid and postpaid segments or voice and data users, distinctions that are becoming less meaningful in a world of technology convergence. They now want to present a single face to the customer rather than servicing the subscriber through silos.
These changes are starting to percolate through to operators’ customer service and sales strategies. Telcos are starting to pull together disparate products and services that once resided across multiple sites into customer service portals.
These sites put a wide range of information at the subscriber’s fingertips, he adds. Increasingly, for example, subscribers can log directly into their accounts from the operator’s homepage and then access a wealth of services and information. This marks an evolution from the fractured and inconsistent customer experience of the past.
Leading operators are even thinking about how their Self-Service platforms should be integrated with social media strategies to allow customers to pay their electronic bills or top up airtime with a single click from within a social network.
Whereas Self-Service portals on telco sites were once purely about account management functions, they increasingly offer far richer functionality. In addition to allowing subscribers to pay their bills and check their account information, they are also increasingly becoming the first stop for service and commerce.
Operators have started to recognise that splintering their e-commerce, service and account management functions simply makes no sense. Customers want to be able to do everything through one interface rather than needing to visit two or three Web sites, or eventually possibly needing to phone a call centre or visit a store for certain transactions.
Integrated and easy to use online customer service channels will be central for telco operators who want to be competitive in the markets of tomorrow. They form an advantage in an industry where it will be customer relationships rather than cost or service that drive loyalty and purchasing decisions.
Talk for less with MWEB Talk
Today, MWEB announced its consumer VoIP package called MWEB Talk, which allows users to make free network calls and get discounted rates made to landlines and mobile phones.
MWEB, today launched its new Voice over IP (VoIP) offering to South African consumers. The service, MWEB Talk, will offer users’ free on network calls to fellow MWEB Talk users’ and cheap calls to landline and mobile phone numbers. This follows the success and demand of the ISP’s existing VoIP products in recent months.
‚”We have seen a noticeable transformation in users’ Internet behaviour with consumers wanting services that complement their ADSL connectivity solution. We have seen phenomenal growth and by the end of the year will deliver over 100 million minutes on our VoIP platform,‚” says Carolyn Holgate, General Manager of MWEB Connect, the ISP’s Consumer and Small Office/ Home Office Division.
MWEB has made significant investments in its infrastructure and VoIP has been prioritised on its network to ensure performance and stability of the MWEB Talk service for both businesses and consumers.
‚”In addition to the high quality of the service, MWEB Talk is also simple to set-up and users’ should experience a significant reduction in their telephone bills. By implementing a VoIP service consumers and small businesses can cut their monthly telecommunication bills by up to 55% to landline and mobile numbers,‚” says Holgate.
With no subscription fee, existing MWEB customers can log into their MWEB account, register for the service and download the application for PC and Mac as well as mobile applications that turn an iPhone, Android, and Nokia smartphone into a VoIP phone. Customers will also be able to purchase a Desktop VoIP Handset for R99 which will be HD voice ready and will support multi-extensions.
‚”We believe that VoIP is the future of telephony in South Africa and we are extremely excited to see the consumer market shift into the VoIP space,‚” concludes Holgate.