Mediaplanet: What are the main differences between a public and private cloud in terms of security?

Greg Brown: Public cloud generally implies that compute, storage, and network are shared infrastructure that is virtualized. The IT operations and virtualization layers are completely controlled by the service provider. The subscriber has to trust these operational practices and the software layers below their application to the administration of the service provider. Any personnel risks or escapes in software management below the virtual machine represent an uncontrollable risk for the subscriber. Additionally, public cloud subscribers should be aware that all software and data could leave residual images on storage and backup devices implemented by the public cloud provider.

Private cloud is generally implemented on hardware that is owned by the organization, but leverages cloud provision technologies to simplify administration and deployment. The organization has greater control over the administration and can still depend on their physical facilities controls for access to assets or information. Because the provisioning technologies make data and applications more agile, there is still a concern about administration of the environment and assuring that there are no process or compliance escapes.

“Organizations should implement a security management strategy that maps their cloud workloads and data to the control technologies for the physical resources.”

MP How safe is cloud data storage and what crucial elements should a company consider when making the shift?

GB: Organizations should consider implementing an encryption solution that protects/obscures their data stored in the cloud. This enables the subscriber to cease their usage of the cloud solution with an assurance that their data cannot be retrieved from the cloud by others even though they may have terminated the service.

MP Where can companies make changes to ensure their information is kept safe and private?

GB: Organizations should implement a security management strategy that maps their cloud workloads and data to the control technologies for the physical resources. They should be able to understand where any virtualized application and its associated data is running and have a clear understanding of the controls that are in place to protect the data. If they have the right level of visibility of the true underlying infrastructures then they can easily identify risk and non-compliance to policy.