Security is still the biggest issue keeping organizations from using cloud computing, followed closely by concerns about complying with regulations and losing control of data, according to a recent study by 451 Research.
Are those security fears valid? Perhaps the steady stream of news about breaches and data losses, at both companies and government agencies, continues to feed doubts about cloud security in general. But “most public clouds are infinitely more secure than most companies’ current internal data centers and security functions,” note Accenture experts Jack Sepple and Daniel Mellen in a column on Forbes.com.
In the meantime, enterprise SaaS applications are outselling their on-premises counterparts by a factor of five—so customers are clearly seeing the benefits of SaaS. If that sector is growing at such a rapid clip, while many still profess angst about cloud security, there must be a lot of heartburn as companies try to pick the right SaaS vendor.
As your organization evaluates cloud-based applications, which security questions should you be asking vendors? I posed that question to Ben Nelson, vice president of security and regulatory compliance for Oracle Cloud—which added 612 SaaS customers in Q1 FY2016 alone and provides services to more than 70 million users via 19 data centers worldwide. Here are the three main questions Nelson recommends asking:
To what extent do you isolate customer data?
“Some cloud providers will promote the fact that they provide data isolation or tenant isolation, but often that isolation mechanism is just one bad keystroke away from potentially comingling customer data,” Nelson says.
For example, if a cloud provider puts all customer data into one monolithic database and relies on application-level controls to keep the data segregated, an administrator who is updating data for one of those customers could accidentally update the database for the wrong customer or for multiple customers.
Another concern is whether a cloud application has security vulnerabilities that can be exploited. In a shared database environment, all cloud customers could then be exposed to that vulnerability.
“But in a multitenant instance where there is proper isolation, only that single customer would have the potential to be compromised,” Nelson explains. “That’s one reason it’s important for different customers using the same application to each have their own isolated environment.”
Keeping each cloud customer database separate (although it’s running on the same hardware) ensures that each customer has unique sets of authentication credentials and possibly even a unique schema associated with its database instance. The risk of data being comingled because of a single mistaken keystroke is lessened, as is the vulnerability danger in the application itself.
Does the fine print meet my business’s specific needs?
Not all companies have similar maintenance windows. That’s why it’s important for organizations to go with a cloud provider that lets them choose when their SaaS applications will be upgraded.
For example, retailers’ peak time is around Thanksgiving and Christmas. Obviously, that’s not a good time for an upgrade. Highly regulated companies may require upgrades or upgrade checks annually, perhaps at the end of the calendar year.
That’s another advantage of isolating customer applications and data in the cloud: Each customer can choose an upgrade schedule without affecting other customers. At the same time, Nelson says, “you want an isolation mechanism that allows you a good measure of individual flexibility.”
But if a cloud is designed so organizations are sharing CPUs, disks, or networks, all of those organizations may experience slower performance when one of their neighbors has a spike in traffic or transactions.
Some cloud providers might move these “noisy neighbors” to protect their other customers—but being moved could result in a hit to performance levels right when a busy retailer can least afford it.
Little surprise that a Gartner survey conducted last year showed that one of the big enterprise concerns with using a public cloud is sharing technology in a multitenant environment.
Who has access to my data?
How does the cloud vendor control and manage access to the underlying environment? If you’re in a regulated industry, you need to know who has access to the environment—from cloud vendor employees to your own staff—and which data they can access at any point in time.
Most security breaches (59%) continue to originate with companies’ own employees, according to Experian’s 2015 Data Breach Forecast. That risk can obviously rise when individual lines of business deploy a cloud point solution but don’t have an understanding of potential security risks.
Oracle Cloud provides centralized identity management across its SaaS offerings and on-premise applications, as well as role-based access controls that let customers map rules to each job function. Cloud customers can auto provision those controls across applications, avoiding the hassles and inherent security risks of managing multiple single-point solutions.
“With Oracle Cloud, we have a dedicated, Oracle-badged team of cloud security experts on duty 24x7,” Nelson says. “And because our entire stack is Oracle technology—hardware, operating system, cloud applications, middleware, monitoring solution, identity management—and because these pieces are fully integrated, we have direct access to product development at every layer of the tech stack to resolve any issues.”
Learn more on Oracle.com:
Security Sessions at Oracle OpenWorld
Executive Brief: 5 Things to Look for in a Cloud Provider When it Comes to Security (PDF)
