Companies looking for robust environments for Application Management or Data Management require secure Data Centers. There are two major security conditions regarding Data Centers that must be addressed by any IaaS Provider:
- Physical Security of the Data Center
Data Centers need to meet strict industry compliance standards, such as SSAE 16 and SOC1 Type II. Data Center facilities that attain this compliance are validated to operate within a manner that attests to a commitment to Operational Excellence and Security Controls for facility access.
- Data Center Compliance
To ensure Data Integrity, the IaaS Environment must also be PCI DSS compliant. PCI DSS compliance is a standard created to reduce credit card fraud that may result from vulnerabilities in the Data Centers. For a Data Center to be SSAE 16 SOC1 Type II and PCI DSS compliant, an independent auditing firm assesses the organization and provides verification that the Data Center meets the standards of Operational Excellence and Data Security.
Companies that decide to move data to the Cloud need to consider a number of topics. These include:
- Data Encryption
Whether hosting applications in a Public or Private Cloud, a Client needs to ensure the IaaS Environment has high end-to-end data encryption. Not only should the data be encrypted, but also the disk storage. This prevents the access of data from an unwarranted source. Apart from disk encryption, all communications between the host virtual machines and operating systems in the IaaS Infrastructure should be encrypted, using as an example SSL or AES-256 bit encryption.
- Logging & Reporting
Effective deployment of IaaS, both in Public and Private Clouds, requires comprehensive logging and reporting. As virtual machines are moved between servers, and users access various data or applications, it is important to know what data is live or being accessed by which parties.
It is necessary to ensure that malicious intrusions can be monitored and addressed. The ability to capture the access and activity in the servers, is critical in choosing a Data Center. Also, encryption keys used should be owned by the Client, not the IaaS Provider.
- Authentication & Authorization
Access to the Data Center from a network or application perspective should be considered. The levels of authentication required for various levels of access should be defined. Some applications may not need authorization, while others may need multiple authorizations. Integrating a flexible authorization system that operates in conjunction with the security systems is crucial to the security of data in the IaaS Environment.
- Application Security
Application-to-application security in the IaaS Environment should be considered. Solutions should be architected that will use the firewalls provided by the IaaS Provider, and additionally in-house security magnets to reduce vulnerabilities. The ability to troubleshoot, detect data vulnerabilities and mitigate risks inside the Cloud Providers platform, should be considered.