Security and data protection in the cloud

16 Oct 2011

With the recent high-profile security breaches of Sony’s PlayStation Network, along with outages at Amazon’s data centres, LAURA O’BRIEN asks providers how secure data is in the cloud.

In April of this year, Sony experienced one of the biggest security breaches of all time. The Sony PlayStation Network and Qriocity Services were infiltrated, giving hackers access to personal information from 77m accounts. Its PC Games Network followed, which affected 24.3m users.

It’s every company’s worst nightmare and Sony is still trying to recover from the hacking incident. Sony is still strengthening its security and recently hired former US Department of Homeland Security official Philip R Reitinger as its chief information security officer.

Separately, Amazon’s EC2 cloud service experienced downtimes, though these were not due to a malicious attack. The first occurred in April, taking down websites running on its services, such as Reddit, Quora and Foursquare. The second occurred in August, caused by a transformer failure at a Dublin data centre.

With these high-profile events, it’s no wonder that 68pc of Irish companies who took part in an O2 cloud computing survey cited data security as their biggest barriers to moving to the cloud. But is this fear valid?

“There may be things you hear about in the news but my analogy is that it’s like a plane crash versus a car crash,” says Francis O’Haire, technical director at DataSolutions.

“You will hear about a plane crash because it’s such a rare event and it has a bigger impact, but it’s still the safest way to travel, statistically.”

O’Haire goes on to say that, if anything, cloud computing offers much stronger security options for smaller companies than non-cloud solutions.

“The first thing to do is acknowledge that for some businesses – certainly the small to medium businesses – the type of security available in the cloud is much, much greater than they could potentially ever afford themselves.

“It’s about the economies of scale. A small or medium business may only be able to afford a certain class of firewall, or intrusion prevention or other types of security and probably doesn’t have a guard at the door 24/7 to make sure that nobody walks in and takes their data.”

Indeed, firms that revolve around running data centres will have better resources to protect the physical side of the infrastructure.

Tanya Duncan, managing director at Interxion, describes how the company safeguards its data centres.

“From our perspective, we want to make sure that the infrastructure is secure, that we have physically all the deterrents necessary to make sure that nobody is going to come and possibly steal,” says Duncan.

“We have fencing, 24/7 security, CCTV, all those physical things you’d expect. And, of course, in terms of access procedures, we want to make sure that the right people are accessing the right areas in the data centre. We’re very strict about that.

“For example, you have to go through biometric readers; you have to present your passport when you come onsite and only those who are allowed to come onsite who are preannounced will get to a particular area,” she explains.

However, Duncan emphasises that Interxion doesn’t get involved in the virtual side of data security and says that it is up to businesses to look to the security experts for this.