As technology has advanced, the amount of data being produced by a seemingly endless number of devices has surged. This dynamic has seen the way businesses secure data evolve into a variety of mediums. This is a response to the continuously changing and, at times, insecure global business environment.
The popularity of the Internet of Things (IoT) continues to grow at an exponential rate, and more data than ever is required to ensure that these applications and devices perform at an optimum and secure level for enterprise operations.
An often under-reported element of IoT applications is the virtual and physical infrastructure that sits behind them, not in the devices themselves. To respond to this growing expanse of data, a number of options have been made available for enterprises – both small and large – to peruse. These include on-premise, private cloud, public cloud and colocation data centres.
It is in these domains where the necessary (cloud) computing capacity and secure storage of data is possible. Often, businesses will use a combination of these secure strongholds in order to remain versatile.
The aim with choosing any of the above platforms is to provide users with the capability to interconnect with networks, public and private clouds, customers and partners, as well as gain help with their IT transformation in a secure manner.
Security is king
The purpose of this piece is to identify the most secure avenue for protecting enterprise data, while dispelling some of the myths surrounding the security capabilities of the public cloud, for example.
Of course, a multi-faceted approach based on what type of data is being secured will be a factor in dissecting the most secure option available to enterprise.
Ultimately, it must be noted that the level of data security depends on how and by whom the technology is utilised. Paul Calatayud, CTO of FireMon, explains, ‘If we look at a small company with limited IT and no security staff, on-premise may be a more risky option compared with a public cloud option. Whereas, a company with a strong team dedicated to data protection and heavily regulated may see the cloud as more risky.’
‘In the end, one has to look at the core business and ask oneself: what are we really good at, and what parts of our company are better served by mother experts?’
The notion of on-premise is fairly simple. It describes when all the equipment and infrastructure, where the data is stored, is within an organisation’s own premises.
The most attractive aspect of using on-premise for securing an enterprise’s data is that they have full control over ‘the physical, logical and human risks associated with data protection’, suggests Calatayud.
It is entirely in their hands and can take many forms, as David Barker, founder and technical director of 4D, explains: ‘Sometimes this data is secured on-premise in a specialised data floor, if the requirement is large enough, but often within a comms room in the corner of an office.’
On-premise offers organisations direct control over their data and gives them the ability to manage the controls put in place around their infrastructure.
This capability is its biggest strength. It is also, ironically, its biggest weakness. The very fact that it is the sole responsibility of the organisation to protect its own data across its operations makes it vulnerable.
Calatayud highlights that the weakness lies in core competencies with an organisation’s staff: ‘Are you prepared to sustain the same standards as the cloud or colocation providers with regard to data protection?’
It is the continued maintenance of these high security standards where the problem lies, because securing data is not the primary function of the enterprise.
Killian Faughnan, group CISO at Interoute, elaborates: ‘At a time when we’re seeing more and more companies moving to DevOps models with faster provisioning cycles for both applications and infrastructure, keeping pace with the rate of change is difficult at best.
‘Companies need to decide if security teams’ time is best spent securing and managing infrastructure, or if they’d rather focus on the mission-critical applications used to run the business. Often, they’re better off outsourcing the infrastructure (and therefore security) work to a cloud provider or partner that can do this at scale as a matter of course.’
So, it appears that while on-premise data security offers control, it inherently undermines a business model that should be focusing on its own operations. There are, after all, both private and public cloud providers that offer specialised data security services.
A cloud provider’s reputation is staked on how well it can secure data. Therefore, huge amounts of resources are thrown at ensuring it does exactly that – more so than an organisation, no matter the size, might do. Public cloud providers specialise in large-scale data defence.
Regarding public clouds, they are likely to be physically secure, despite the myth of insecurity that surrounds them. Typically, they are hosted within specific data centres that require security access, and because an enterprise’s data is shared on the same infrastructure as the provider’s other clients, it tends to be more secure virtually.
Barker explains that public cloud platforms ‘provide for isolation of virtual machines, network traffic and management functions between clients, so the likelihood of being breached through the cloud platform itself is low’.
In fact, an attack on a public cloud is most likely to originate from a private cloud, colocation or on-premise system where an administrator’s credentials have been hacked.
‘The risk will always be higher than hosting the exact same systems on dedicated infrastructure through a colocation or private cloud provider because there is some element of resource sharing with other clients,’ claims Barker.
However, it should be noted that backup and recovery of data is more likely to be achieved successfully on public cloud than it is on colocation or on-premise.
While this counters the perception of the public cloud as insecure, it is not faultless. Gordon Nother, data protection specialist for UK and Ireland at Fujitsu, says a lack of control from the enterprise means that the public cloud poses a greater risk. ‘Most of the big security breaches have been on public cloud,’ he says.
An issue of adaptability is also raised by Faughnan who suggests that public cloud providers’ approach to security needs to change in order to fit new environments.
Traditional models, he suggests, ‘don’t work in dynamic environments where systems are automatically commissioned and decommissioned based on demand.
It requires a shift in thinking not dissimilar to what is required for a good DevOps security model – a move towards security automation and a renewed focus on data over devices.’
The private cloud delivers similar
advantages to that of public cloud, including scalability and self-service, but through a proprietary architecture. Unlike public clouds, which deliver services to multiple organisations, a private cloud is dedicated to a single organisation.
In terms of security, the physical infrastructure of on-premise is removed, while being able to maintain the physical security offered by a dedicated data centre.
Cloud hosting, similar to colocation, offers businesses a secure method of streamlining their data and managing their network. In this respect they appear similar: both are outsourced data management solutions hosted off-site. But that is where the comparison ends.
Colocation (data centre) providers rent out physical space to enterprises for servers, hardware and other equipment. The costs include power, storage, climate control and bandwidth.
When enterprises colocate, they outsource storage and maintenance of physical hardware, while retaining ownership of the equipment. Basically, the data centre provides the physical security but the business in question provides the virtual defence.
The physical security comprises 24-hour CCTV, guards and – as Information Age learned on a recent tour of an Equinix data centre in Canary Wharf – about five to six layers of additional protection throughout the building, ranging from security doors to backup solutions in the event of a power failure.
On top of this, clients can install biometric security solutions such as retina, voice and fingerprint identification onto their specific servers. These stringent security measures ensure that colocation data centres are physically the safest haven for an enterprise’s data.
In terms of the virtual security, that responsibility lies with the enterprise using the data centre’s services. In this case, it is fundamental to have in place not only a firewall (often easy to bypass for skilled hackers) but a security system that pervades and monitors within the network. Prevention security measures are not very reliable in this era of ransomware and DDoS attacks.
Instead, those companies securing their data in a colocation data centre should focus on detection and response solutions to virtually defend their data. In terms of securing one’s data, it appears that the colocation data centre triumphs. Cost is an issue, and typically only the larger organisations can afford the ‘experience’.
>See also: The changing role of the data centre
However, Michael Winterson, managing director of Equinix Services, tells Information Age that there are ways around the price: ‘Clients who can’t quite afford to buy the service directly from us, or who don’t have the skill sets to operate that equipment themselves, can buy services from, say, FX ecosystem or Fixnetix, who will host them in our data centre and give a smaller company access to something that a larger client would normally buy directly.’
During discussion with a number of experts, weaknesses within a colocation data centre were hard to come by. Calatayud identifies the rather rare threat of another tenant of the same data centre gaining access to a company’s server.
This is highly unlikely, and the physical security measures will most likely nullify this threat. Faughnan cites the same weakness but says, ‘This can be mitigated by ensuring that suppliers have the appropriate certifications and compliance regimes in place – for example, having cameras installed with a view of your systems, in compliance with PCI requirement 9.’
If cyber security from the network side is maintained to the highest standards while constantly evolving to counter the evolving threats, then colocation ensures data security.
The flexibility, scalability and agility offered by utilising cloud services can also be replicated via colocation, as Barker confirms: ‘Colocation is an excellent upgrade from on-premise and can provide a path to private or public cloud hosting with a provider that can provide all three services.’
Enterprises that come into Equinix facilities, for example, have the option to run multiple applications in the cloud – connecting directly to the Google Cloud Platform to run G Suite and to Microsoft for Office 365 for email.
Perhaps, the most generous comparison that can be drawn to a colocation data centre is a bank vault.
Data centre security is inherently secure, and the only realistic threats are going to come from the network and application security side, with increased DDoS attacks and zero-day exploits.
Jonathan Jenkyn, security practice lead at KCOM, concludes with the very practical notion that security is all about what can be risked: ‘In IT security terms, enterprises have to balance the confidentiality, integrity and availability of the data to meet their data usage requirements. This CIA triad, as it’s often termed, is difficult to quantify, and is normally qualitatively evaluated. Each organisation will have a unique approach to how particular types of data are handled.’
A variety of data security options has been discussed in this piece. Each has its own strengths and weakness, and ultimately the right choice for the enterprise will be entirely individual, based on the specific needs and goals of the business.