Security invariably heads the list of concerns that any CIO outsourcing IT to a cloud service provider would have. Questions have to be raised on the reliability of the service provider's infrastructure and how access to the infrastructure as well as data, applications and other assets placed outside the company's premises are secured.
For Tata Communications, the critical factors extend beyond securing the cloud environment to transforming the customer's value chain. "It's about generating real [business] value, consolidating and leveraging resources, shortening time to market, having a system that automate upgrades and patches, innovating and so on," said Amit Sinha Roy, the company's vice president of Marketing & Strategy for Global Enterprise Solutions, at the recent CommunicAsia show in Singapore. "These are some areas that companies adopting the cloud should be mindful of."
From the perspective of a service provider that has served many enterprise customers in the region, Roy suggests six questions that enterprises should ask to better understand the key differences in vendor security.
1. How does the service provider safeguard its IaaS service?
"[Virtualization] provides service providers like us the visibility into what's happening [in the environment] so we can leverage hardware more efficiently and gain better control of the infrastructure," said Roy. "Trained network and security professionals must proactively monitor [the logs and traffic] 24 by 7 and implement carrier-class mitigation solutions to prevent any distributed denial of service (DDoS) attacks."
Ultimately, access to the compute infrastructure is really about the network. So, the service provider must ensure traffic from different customers are segregated with virtual LANs (VLANs). They must protect the network and provide secure network access with industry-leading Evaluation Assurance Level 4-certified firewalls.
"Beyond these fundamental [measures], there should be [the ability] to do penetration testing to see if it has any weaknesses. Are they using industry-standard platforms with security built-in? Are there any vulnerabilities in the system? Are the firewalls business-grade and can they be managed? The logs tell us a story over a period of time, such as someone trying to repeatedly hack into the system. It's about proactive monitoring."