Nowadays, nobody can deny the remarkable benefits of cloud computing, both infrastructure as a service (IaaS) and software as a service (SaaS). Cloud computing drives cost savings, agility to support customer demands and innovation; definitively it is a fundamental factor in the corporate digital transformation. Otherwise, cloud computing also involves some level of complexity in dealing with IT security, since organizations delegate certain responsibilities to third parties in storing and controlling sensitive data. During this article, we aim to identify the cloud security handicaps and propose a security model according a Telco Cloud Provider perspective to make easier and safe the cloud voyage.
- Data resilience in multiple regions: the cloud provider must have distributed storage in multiple regions to ensure global availability. As part of its global Cloud services offer, Telefónica offers nodes in different countries to solve local regulatory problems, without undermining a unified and global perspective that may be required by multinational clients and the portability of information between regions.
- Segmentation: in a shared environment, complete isolation between users must be ensured and the use (or abuse) of one of them does not affect the performance of the rest.
- Certifications: third party certifications provide assurance regarding implementation of Systems and security Measures. Organizations such as the Cloud Security Alliance (CSA) award certifications such as CSA Star, based on the ISO 27001 standards group and suited specifically for cloud services.
- Visibility and control: it is worth highlighting the importance of having tools that allow intuitive visibility into the overall safety state, as well as cross-monitoring, detection and response tools. A vulnerability analysis platform, like Vamps, can be integrated into testing processes and contribute to a more secure development process
- Integration with managed security platforms: a differential factor of an integral security proposal for the cloud is the level of integration with Managed Security Services (MSS). If the same provider can offer both, the complexity, main handicap of the managed security, will be strongly minimized. Telefonica has specifically defined its cloud security solution with this principle in mind to simplify the day-to-day operation.
- Identity Management and Authentication: the cloud services platform must offer the capacity for a comprehensive and generic identity management, which is interrelated with that of the other services used by the organization, such as communications or applications. For this, Telefónica offers services as well known as Latch and Mobile Connect in its cloud services offer.
- Security governance: additionally, some interaction among the resources deployed in the cloud environment with risk management and security compliance tools will bring a higher level of security understanding. Telefónica has in its portfolio a specific regulatory compliance solution, Sandas GRC, which interact with the Telefonica’s cloud environment to provide real-time risk and regulatory compliance.