Security in the cloud

Cloud services have many attractions, but we cannot forget to pay attention to security. Photo: Hindrik

Many IT services that formerly ran on site are now moving to the cloud, a remote collection of computing resources that run the same services for large numbers of customers.

Cloud services offer a number of advantages over on-site applications. First, there are significant economies of scale in providing services to so many customers. We also realize FTE savings since employees do not need to become experts in running and supporting these services. Finally, we are able to take advantage of using the latest hardware and software without having to spend time on upgrades.

However, running services in the cloud can present security challenges. How do we protect our sensitive information from unauthorized access? How do we ensure that the cloud provider keeps their services patched and protected against common security vulnerabilities? How can we ensure that we will always have access to these services and to our data?

The short answer is that cloud service providers could not stay in business unless they could assure their customers that they are operating securely and robustly. As we do for our own services, they obtain certifications from third-party auditors for their systems’ security and can provide formal detailed security plans for their customers. They also have backup systems to guarantee data is always available. And unlike Fermilab, whose default paradigm is the wide sharing of scientific information, their fundamental strategy is keeping information secret and protected.

Before using a cloud provider, Fermilab conducts an assessment to evaluate potential security risks and ensure that the cloud will be at least as secure as if the service operated on site. We sign agreements with the vendor with guarantees of uptime and ensure that necessary security controls are documented in purchase orders.

Our newest cloud-based service is FermiWorks. While it may initially seem scary for information about all employees to be trusted to the cloud, we are confident that our information is at least as well protected as it has been on our own systems (and considerably better protected than in many government and retail data repositories). We are assured that the FermiWorks vendor, Workday, will protect our information so we can enjoy the many benefits this modern electronic service will bring to us.

Our enterprise strategy is to continue to take advantage of cloud services when appropriate. Individual users should not casually move services to the cloud without early involvement of teams from both the Core Computing Division and the cybersecurity team.

Irwin Gaines