One of the most common concerns and biggest misconception in regard to Cloud Technology relates to Cloud Security. This is especially true in the face of the continuous “hacking” incidents being reported in the news. Users new to the Cloud worry that storing their data in a non-in-house environment is not safe and that transmission over the Internet might result in data being stolen or lost. However nothing could be further from the truth.
The fact that in-house private networks tend to be connected to the internet (whether this is directly as an Intranet or indirectly through internal Wi-Fi networks) means they are just as susceptible to hacking as Cloud solutions. In the modern world where nearly every office is connected to the internet the only difference between systems is the level of security employed.
Tier IV Datacentres (the highest ANSI specification), used by Cloud Application providers such as AccountsIQ, provide a level of Processing and Data Security far beyond the reach of almost all in-house IT Departments. In addition SSL encryption technology employed on all Internet traffic from the smallest single datum, through individual transactions and even bulk file transfers, ensures that such traffic is unintelligible to anyone looking in with prying eyes.
In the second of our series of Cloud articles we take a look at the topic of Cloud Security.
Part 2 – Cloud Security
Datacentre operators provide a valuable and sought after service to the IT Community. As well as the many other benefits arising from the use of such facilities, Datacentres must offer a level of Security and Protection to their Clients which is unsurpassable. The consequence is that there are a number of “must haves” for the genuine Datacentre (Tier IV) provider.
There must be absolute security and continuity of Energy supply, security and continuity of extensive Cooling systems, security of both physical and non-physical Access, security against Calamity, security of Internet Communications, and despite all this, they must also have Contingency options.
Power security is achieved through connection to a least two separate electricity grid sub-stations backed up by extensive in-house Battery Storage for short term interruptions and Combo Gas-Diesel Generators in the event of a prolonged power outage (and indeed most Tier 4 datacentres will also have their own off site fuel storage facilities). These Energy requirements not only apply to that used by the Computer Processors, Telecommunications equipment and Storage Devices, but also to the Cooling equipment to keep the IT and related equipment functioning properly within their normal operating temperature range.
There must be a high level of redundancy in the amount of Cooling devices installed, all of which should be dual-powered, to ensure that if one or more fails, then there is more than sufficient excess capacity to cover all contingencies. There is frequent (weekly) testing of the electrical backup systems to ensure their continued functioning. This includes a deliberate power down of the main supply to ensure that there isn’t the slightest interruption to the continuous processing and communication occurring in the many servers hosted within the facility.
Tier IV Datacentres should also be “Carrier Neutral”. That is – they should have cross and inter-connection across several Telecommunications Network providers, not only to ensure independence but also to have redundancy in this area as well, should any one network become unavailable or overloaded. And, of course, they must have the highest speeds available on these Fibre Optic Cable (FOC) networks for their Internet and Private Network Clients.
Everybody at home knows what happens when the domestic Internet connection “goes down” for some reason or other. However, continuity of service in this area is a vital component in the provision of Datacentre services and consequently demands several, if not many, networks to be available and interconnected.
Security of Access involves both physical access to the Datacentre itself and also protection against unauthorized access by “hackers” and such like over the Internet. Regarding the former, Tier IV Datacentres will have 24/7 Manned Security and Perimeter CCTV and Alarms. The Datacentre itself is, of course, also manned 24/7 by Operations staff and Maintenance Engineers.
In addition many larger Clients will have their own equipment installed in Cages to which they and only their own Engineers will have access. Access by Client personnel and others to the Datacentre facility itself is strictly controlled using Bio-Metric readers in a number of strategic locations throughout the facility.
Datacentres are also equipped with the very highest levels of penetration defence and firewalls, anti-hacking and anti-denial of service protections. They deploy the very latest and most up-to-date Security Software in this regard, with continuous updates of Security Patches to counter new threats as they emerge.
The “anti-denial of service” software (DDOS) instantly detects bombardment by an extremely high volume of very rapid transactions to try to overload a Client’s computer infrastructure and make it otherwise unusable (which is allegedly what caused the Talk Talk penetration), and counteracts such attacks automatically. And, of course, the Application Software providers will also have their own security measures in all of these areas of protection as well.
To minimise the possibility of Calamity, Datacentres are also equipped with the most up to date and comprehensive fire detection and fire prevention systems and other contingency protection measures and these defensive and safety systems are fully tested at a minimum of once a month. And, it goes without saying, locating the Datacentre in an appropriate site is also very important to ensure against earthquakes, extreme weather, warlike conflict, strikes, and also in a desirable location which delivers a continuing stable economic environment as well as continuity of the necessary services and skilled labour.
Nevertheless, and regardless of these precautions, Tier 4 Datacentres also have contingency measures to guard against such calamitous possibilities by frequent backup all of their Clients data onto remote locations with great frequency.
All of the Computing Devices and Telecommunications Equipment (as well as the Cooling and Fire Detection, etc. equipment) hosted in the Datacentre are electronically monitored centrally by the Datacentre Management Team in their Network Operations Centre (NOC) inside the Datacentre. This is carried out continuously on a 24/7 basis to detect any performance degradation or lack of capacity or breakdown of any component.
Any such decay or falling-off in performance is then rectified immediately as appropriate. Tier 4 Datacentres generally guarantee up-time in excess of 99.98% (inclusive of planned downtime). All in all these facilities and service levels could not be surpassed except in those organisations with an annual IT Budget far in excess of that of most businesses.
Economies of scale are achieved by the Datacentre operators through rental of space in their facilities to many different Clients like accountsIQ, who, in turn, further achieve economies of scale by providing extensive infrastructure with unlimited storage and computing power to our own Customers using the AccountsIQ Application suite of Accounting software hosted in Datacentres in the USA, United Kingdom and Australia.
Traffic, through and from the Datacentre over the Internet is protected by SSL (Secure Sockets Layer) which is the proven standard security technology for establishing an encrypted link between a Browser Device and the accountsIQ Processors in the Datacentre. This technology, which is ensures that all data passed between the Accounts Application and the Users’ Desktops of Laptops remain private and integral (that is to say, “what was sent is what is received”).
SSL, which uses Private Keys and Public Keys to create specific encryption for each Certified Client is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. You know you are connected to a secure server when you see the letter “S” tagged onto the “http” part of the address URL and also when there is also a “padlock” symbol in the address bar.
The data to be transmitted is encrypted at the sending end (either the User’s Internet Browser or the response from the Application System) and can only be unencrypted by the receiver. Anyone looking in will only encounter gibberish.
Turning to the Security aspects of the AccountsIQ infrastructure located in these three Datacentres: All of the data held within the accountsIQ system is stored using Storage Area Networks (SAN) technology connected to the Database Servers via a firewall.
These database servers can only be accessed from the Application Servers which themselves are located behind another firewall, and finally a third firewall protects the Web Services Server connecting to the App servers. This is a 3 tier firewall system that also hosts the Disaster Recovery site and Backup Servers, all of which is located in a Datacentre that has 24/7 security monitoring and constant updates of new security threat patches.
In addition, the AccountsIQ Application Software, Communication facilities and Hardware Infrastructure within the Datacentre(s) has also been rigorously “penetration” tested by independent security experts. Penetration stress tests are designed to identify any weaknesses in the entire system’s architecture and are deliberately designed to compromise servers, endpoints, software applications, wireless networks, network devices, and all other potential points of exposure.
Once vulnerabilities have been identified and rectified, the tests are repeated out at ever higher levels of security clearance and deeper access to electronic assets and information via privilege escalation. These rigorous tests are repeated annually to ensure the continued robustness and resilience of the entire system.
AccountsIQ has infrastructure deployed and available in three Datacentre sites – globally and strategically located in the USA, UK, mainland Europe and Australia. Our Customers have Cloud facilities located close to their business operation which minimises any Internet latency delays. Each facility is backed up to the others (and the Disaster Recovery site) once a day and during the day, the systems are constantly backed up and, in the unlikely event of it being required, any restore of an individual system can be done to within one hour of the last session.
For more information, read our page on cloud accounting security.