Strategy & Best Practices

Security and the Cloud: Setting the Bar

By Erik Ginorio / March 3, 2013

Many people still have their hesitations about using the cloud, and one of their primary concerns revolves around data security. I’ll admit I used to be one of them; when I first started exploring cloud environments years ago, even as a security professional, I was skeptical. There were only a handful of cloud vendors to choose from, and working with these companies could often feel more like using a black box than using an infrastructure or platform provider. It felt like we didn’t fully understand what was going on behind the scenes with our systems and data, and those are the things that keep security professionals up at night.

Thankfully, it’s 2013 and that’s no longer the case. Driven by early adopters, startups, and tech companies that raced to embrace the future, the cloud has grown, matured, and become much easier to use.

However, that doesn’t mean that all cloud providers are created equal. While each vendor is different, many of the largest cloud providers leave it up to customers to secure their systems and data. This may seem like the most obvious method—after all, that’s how it works on conventional networks—but in the cloud, it’s not quite as simple as that.

Every cloud environment is different depending on the provider, from the equipment and software they use, to how they are architected. This makes doing security in each environment different; there is no set of best practices on how to secure your data in every cloud environment because there are simply no uniform clouds and no uniform environments. We’re hoping that this problem resolves itself in the next few years as the cloud space continues to mature.

To think about this situation in a different way, take a conventional network as an example: Standard practices include putting your firewall inline between your Internet connection and your DMZ network. Yet with most cloud providers, dropping anything inline isn’t even physically possible, but with some others, it is. If you’re a security officer trying to secure your presence in these different environments, it means getting to know them on an intimate level, inside and out, and designing a policy that will cross any cloud environment. From there, you assess how to implement a process across these various providers, while still adhering to your policy and maintaining your baseline of security.

Bottom line: it’s difficult. It requires a skilled, dedicated, and experienced team to put this all in place and keep it working.

Luckily for our partners, this is something they never have to worry about when they work with AppDirect. Even our most junior administrators have over 15 years of experience, with an average closer to 20. Personally, I’ve got over 20 years of experience under my belt that ranges from startups to the very largest Fortune 100 companies.

This experience really paid off during our recent PCI audit; AppDirect passed with flying colors and received PCI Level 1 compliance certification. Being PCI Level 1 compliant means we’re not only in the top tier of companies accepting credit cards, but that our security controls, policies, and processes have been thoroughly reviewed by an outside auditor. What’s more, Verizon’s yearly report on PCI compliance recently stated that only about 22 percent of all companies accepting credit cards were PCI compliant, regardless if they were Fortune 100 or a successful startup. Of all the security breaches Verizon studied, 82 percent of the companies that suffered security breaches were not PCI compliant. As you can see, there’s a clear connection between PCI compliance and data security.

All of this really goes to show that security isn’t an issue you can just throw money at and hope it fixes itself. First-class security depends on the experience, skill, and dedication of the professionals you have doing it. For our company and our partners, that combination equals peace of mind.

Erik Ginorio is an information security officer at AppDirect.