Virtual server hosting for schools and colleges: mitigating security risks.
GUEST COLUMN | by Adam Stern
It’s now part of the conventional wisdom that cloud computing has altered the information technology delivery model. The steady embrace of the cloud among schools and colleges does not, however, mean that educational institutions can or should let their guard down on matters of security and data protection. While cloud server hosting provides compelling benefits, security is an essential part of any discussion of cloud adoption. Mitigating security risks is imperative to creating a comfort level among CIOs and CISOs, to transition applications and data to the cloud.
Now more than ever, cloud service providers are realizing that managing security is fundamental to facilitating cloud adoption.
Applications, systems and data all have different security thresholds. For example, web, mobile and social can be moved to a virtual server without the same degree of security concern as there is for regulated information or mission-critical applications – an especially relevant concern for public institutions. When deciding whether an application, product or service belongs in a cloud server, CIOs and CISOs must consider:
- Type of data or application
- Service-level agreement
- Security environment
The decision to move to the cloud, especially the public cloud, should depend on the sensitivity of the data and the level of security offered by the cloud provider. The final question should be whether the value offsets the risk.
Cloud service providers (CSPs) are beginning to put a greater emphasis on security protections, with technologies like clustered firewalls and IDPS (intrusion detection and prevention systems). In the cloud’s infancy, CSPs touted scalability, initial cost savings and speed. But the prospect of enhanced security in the cloud – indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop – has altered the conversation. Educational institutions assessing cloud service providers can now seek out CSPs whose security controls mitigate the risks of moving to the cloud. Increasingly, schools are facing the challenge of dealing with outdated modes of storage and finding affordable, practical, secure solutions that meet their needs.
When considering a move to virtual server hosting, CIOs and CISOs need to check for audits of a CSP’s security controls. Look for providers who have passed the SSAE (Standards for Attestation Engagements) No. 16 Type II audit, one of the most rigorous auditing standards for hosting companies. The audit confirms the highest level of service and reliability attainable for a virtual server hosting company. To be SSAE compliant, a hosting provider should offer SSL capability, enterprise-level, application level protection, hardware firewall, IP-restricted FTP, managed backups with 14-day retention, advanced monitoring and multi-level intrusion prevention.
In addition, an increasing number of CSPs are using the American Institute of Certified Public Accountants’ Service Organization Control process (SOC), the organization’s certification of controls with verification for cloud environments. Some of the larger cloud service providers now publish SOC reports on their security controls. Mandates from CIOs and CISOs may be required before SOC reports are published by all cloud providers.
Now more than ever, cloud service providers are realizing that managing security is fundamental to facilitating cloud adoption. Those cloud providers concerned about safeguarding their clients’ data and applications – so vital in schools and colleges, public and private – are taking steps to mitigate those risks with tight security controls and transparency regarding those controls.