The following is a guest post by Harrison Hersch, Director of Engineering for MCF Technology Solutions, a full-service Web 2.0 PaaS provider that specializes in enterprise-level solution design and development.
There is a linear relationship between increasing cloud consumption and the necessity for security. "The cloud," which can mean many things, provides unparalleled flexibility and scalability for a business. At MCFTech, the cloud has created a scenario where more of each incremental hour of work drives value add, rather than worrying about things like dual power supplies on a server, or health of a hard drive. Leveraging cloud Infrastructure as a Service (IaaS) providers such as Microsoft Azure means they manage the physical layer. Each is much more capable at addressing physical hardware, redundancy and security than most organizations. While Azure is managing that physical security (badge access, biometrics, etc.), the rest is left up to the end consumer or business.
The same concept extends to cloud platform providers such as Intuit QuickBase or other hosted applications/services such as Office365. In these types of platforms, the service provider is managing the servers (potentially hardware and virtual), the patching, updates, encryption, etc.
In Platform as a Service/ Software as a Service (PaaS/SaaS) and IaaS, the barrier to entry for "the cloud" is relatively low. This sometimes causes people to think they are "secure" inherently when it actually increases the need to treat security at the other layers seriously. A bank may have a very secure vault, but the security on the vault is rendered useless if the branch manager does not treat the combination and/or keys with high levels of confidentiality and security.
The Same Can be Said for the Cloud
Now that these awesome and powerful tools are available to an organization, who governs the access? Who ensures permissions are appropriately handled? In the case of managing virtual servers instead of physical, are patches up to date? Are information security resources monitored for vulnerabilities such as Heartbleed and Poodle and are those vulnerabilities quickly addressed?
These are things that MCFTech has recognized as extremely important for the security of both ourselves and our clients, which is why we obtained third-party validation of our practices via a SOC 2 report. SOC 2 is a widely accepted audit standard which checks an organization's commitment to the following areas: security, availability, processing integrity, and confidentiality. We are happy to report the auditors found no exceptions in our processes and procedures during their audit. We are committed to security in multiple ways. Some of those include code vulnerability testing, thorough processes and procedures, and routinely investing in R&D with new technologies to stay on the cutting edge.
To find out more about how MCFTech protects your business data, contact us today!