Cloud Security: What You Need To Know To Lock It Down 74
Nerval's Lobster writes "IT security writer Steve Ragan writes: 'The word "cloud" is sometimes overused in IT—and lately, it's been tossed around more than a football during a tailgating party. Be that as it may, organizations still want to implement cloud-based initiatives. But securing assets once they're in the cloud is often easier said than done.' He then walks through some of the core concepts of cloud security, along with the companies operating in the space."
You can't have it all. (Score:2, Informative)
There is no guarantee that once you put it out on "the cloud" that someone else won't reach for it.
Can't be done. (Score:5, Informative)
The cloud provider effectively has physical access to your machine, which is game over for any sort of security. Even if you use full disk encryption, you're going to have to decrypt it, and that means your key will be in RAM. A motivated spy in the cloud provider would have little trouble dumping your VM's RAM and decrypting everything.
You might be able to get away with running machines locally, and using the cloud for storage, if you encrypt everything locally and only store encrypted data in the cloud. But that removes most of the benefits of using the cloud in the first place.
Not all the benefits (Score:5, Informative)
Locally-encrypted backup-to-the-cloud is a viable, marketable service. This works both on an "intranet" basis for departments that don't, or for legal reasons can't,* trust IT with access to their data but who want the physical security of their backups managed by IT as well as on the "internet" as an outsourced-backup arrangement.
* Human Resources and departments that have certain external contractual obligations may not want to allow anyone outside of their department to have access to un-encrypted data or encryption keys. In certain industries like defense or medical care, the entire business may function like this.