Securing the Sky
Last week we talked about the four reasons why we like cloud solutions at iVEDiX. Despite all of the positives that we have found, there have been a few drawbacks that we have identified. One of the most important is security.
In the context of iVEDiX, we would immediately argue that the risk depends on us. Cloud computing can be secure if we are cautious and take a few specific factors into account. At first glance, a company may feel naked when considering that a cloud computing provider has to be trusted with its data, knowledge, and security. After all, who can trust cloud computing when we don’t know who monitors these devices and how security is managed?
After a little bit of introspection, we’ve come to realize that these are risks that can be mitigated if we take steps of our own to help reduce the risk. We can equate this to storing money and assets in a bank. We trust others with the safety and security of our other assets, and this is a similar situation with our data.
First, iVEDiX identified what data to store in the cloud and what critical data to keep only locally. For example, sensitive white papers or patent documents or confidential customer data have not been stored in the cloud. In the unlikely event of a breach, these most important documents and databases would be kept safe from the intruders.
However, due to convenience, it made sense to store any code that requires multiple user collaboration on the cloud due to its criticality, the shared nature of the data, and the high-frequency of updates. The daily back-ups by the provider allow us to have a constant recovery point should something catastrophic happen. As such, redundancy options provided by the cloud provider along with one’s own backup and security procedures mitigates the risk of data loss or theft at a moderate price and minimum effort from the development team.
Of course, since the topic of this blog post is security, we need to talk about how to make sure the cloud solution personnel, or malicious external intruders, do not “steal” any code? The answer is: the files must be encrypted when they are placed on the cloud. We have been leveraging an SVN feature that encrypts exports from the code repository; the only way to do the decryption is by knowing a secret 1024 bit long key known by the authorized developers. Obviously, the key is exactly the kind of confidential data you don’t want to store on the cloud, just as you wouldn’t give the key to your safe deposit box to your banker, or access to your electronic health information to your IT team.
Again, here we see the importance in selecting which data to store on the cloud and what data to be kept protected at home. Due diligence on the part of the company can allow them to use all the advantages of a cloud computing solution while mitigating the security issues.