This is the first in a series of posts that will drill deeper into cloud security and some of the key questions it sparks. In this first installment, I will highlight some of the different facets of cloud security.
Cloud computing inherently introduces a number of questions around security. To many, it’s a new model, and in a shared-tenancy environment certain questions are bound to arise. And as I engage with our customers, it’s clear that cloud security means different things to different people. Essentially, cloud security has many flavors – and they all should be considered when thinking about “security in the cloud.”
There are not only concerns around the security of the server and data itself; but network security, account and access controls, compliance and regulations and other questions come into play. Here, let’s breakdown of some of the levels of security and how Rackspace provides them to our customers.
Physical security doesn’t often come up in cloud conversations, but it as an integral part of a cloud security strategy. Cloud providers are responsible for the physical security of their data centers and the cloud infrastructure that is hosted with them. For example, Rackspace data centers are operational 24x7x365 and are manned around-the-clock by a security team and engineering/operations personnel that must pass multiple gates to enter the data center, from key card acess to biometric hand scanners to name just a couple. Appropriate additional perimeter defense measures, like walls, fencing, gates and anti-vehicle controls are in place. This ensures customers’ data is physically secure. Click here for more details.
Data security in the cloud starts with the identification and assessment of the unique risks faced by the data that the customer wishes to host in a cloud environment. Rackspace has implemented many controls to manage the risk of compromise to our internal networks and via the hardware and hypervisor layers and can also provide services and guidance on addressing those risks identified by the customer. As the data owner and the primary system administrator of their cloud solution, the customer is ultimately responsible for data security issues.
Account Security and Access Controls
Account security and access controls are also key areas of concern in an outsourced hosting solution. This is also true with cloud-based services. Customers require that only authorized users have access to their solution and that accountability is maintained. Rackspace has put in place appropriate safeguards to tightly restrict access to our back-end infrastructure and can also recommend services to assist customers in their efforts to enforce account security and access controls above the hypervisor layer.
Compliance and Regulation
Additionally, Rackspace maintains an internal security management system to ensure that it meets the requirements of applicable legal and regulatory obligations. Rackspace has been assessed and holds validation for the following compliance frameworks: ISO 27001, SSAE 16 and ISAE 4302 (previously SAS 70 Type II) , PCI DSS and Safe Harbor (export.gov). Of course, it is the customer’s responsibility to comply with relevant laws and regulations that impacts their data hosted in the cloud.
It is important to note that many of our best practices are applicable across our entire portfolio of services (e.g. data center security), whether dedicated hosting or cloud.
That’s it for this week. I hope you found it informative. Be sure to tune in next week where I’ll dive deeper into the spheres of responsibility and which security components are Rackspace’s responsibility and which are the customer’s.