Posts Tagged 'Security'

July 26, 2016

Cloud HSM: Our secure key management approach

Customers concerned about key management often require a HSM (hardware security module). They want the same level of key protection in the cloud as they do on-premises. An HSM provides guaranteed access to encrypted data by authorized users by storing mission-critical master encryption keys in HSM and backing it up. Powered by SafeNet’s HSM and hosted in geographically dispersed data centers under controlled environments independently validated for compliance, IBM Cloud HSM offers enterprises high-assurance protection for encryption keys and also helps customers meet their corporate, contractual, and regulatory compliance requirements.

You can easily order Cloud HSM through the SoftLayer customer portal or Softlayer APIs. A dedicated FIPS complaint HSM device will be provisioned inside your private network.

Your HSM access credentials that are provided to you are reset as part of your first login. This ensures that you are the only entity with access to your HSM functionality. SoftLayer is responsible for the management of the HSM in terms of health and uptime; this is done without access to the partitions, roles, keys stored and managed on the HSM. You are responsible for the use of the HSM to manage and backup the customer’s keys.

Cloud HSM supports a variety of use cases and applications, such as database encryption, digital rights management (DRM), public key infrastructure (PKI), authentication and authorization, document signing, and transaction processing. NAT and IP aliasing will not work with HSM, while BYOIP might be possible in future. Currently, HSM is not in federal data centers, but it certainly is on the roadmap.


Cloud HSM is “used” and accessed in exactly the same way as an on-prem managed HSM.

As part of provisioning, you receive administrator credentials for the appliance, initialize the HSM, manage the HSM, create roles and create HSM partitions on the appliance. After creating HSM partitions, you can configure a Luna client (on a virtual server) that allows applications to use the APIs provided by the HSM. The cryptographic partition is a logical and physical security boundary whose knowledge is secure with the partition owner authorized by you. Any attempts to tamper the physical appliance will result in data being erased. Similarly incorrect attempts to login beyond a threshold will result in erasing partitions, hence we highly recommend backing up your keys.

Cloud HSM logical architecture

Cloud HSM logical architecture

The following diagram illustrates the roles and responsibilities of SoftLayer and the customer:

Cloud HSM roles and responsibilities of SoftLayer and the customer

Cloud HSM roles and responsibilities of SoftLayer and the customer

Cloud HSM key features

  • Secure key storage: With multiple levels of authorization and tamper proof,  FIPS 140-2 compliant hardware is provisioned in a private network in a secure data center and ensures the safety of your data. SoftLayer has no access to your keys and the device is completely owned by the customer until cancelled.
  • Reliable key storage: Customers are encouraged to back up the keys and configure HSMs in high availability mode. SoftLayer will monitor uptime and connectivity.
  • Compliance requirements: SafeNet’s FIPS 140-2 validated appliance helps you meet the requirements of many compliance standards, including PCI-DSS.
  • Improved and secure connectivity: HSMs are deployed in your private VLAN to maintain more efficient and secure connectivity. Deploying a physical HSM appliance versus software running on a general purpose server provides users with an appliance that is built to handle the resource-intensive tasks of cryptography processing while reducing the latency to applications.
  • Audit requirements: Audit logs can be found on the HSM appliance.
  • On-demand: Cloud HSM can be easily ordered and canceled using the SoftLayer customer portal or APIs and are modeled to scale rapidly. Pricing model involves one-time setup fee and recurring monthly fees.



February 10, 2016

The Compliance Commons: Do you know our ISOs?

Editor’s note: This is the first of a three-part series designed to address general compliance topics and to answer frequently asked compliance questions.

How many times have you been asked by a customer if SoftLayer is ISO compliant?  Do you ever find yourself struggling for an immediate answer?  If so, you're not alone. 

ISO stands for International Organization for Standardization. The organization has published more than 19,000 international standards, covering almost all aspects of technology and business. If you have any questions about a specific ISO standard, you can search the ISO website. If you would like the full details of any ISO standard, an online copy of the standard can be purchased through their website. 

SoftLayer holds three ISO certifications, and we’re going after more. We offer industry standard best security practices relating to cloud infrastructure, including: 

ISO/IEC 27001: This certification covers the information security management process. It certifies that SoftLayer offers best security practices in the industry relating to cloud infrastructure as a service (IaaS). Going through this process and obtaining certification means that SoftLayer observes industry best practices in offering a safe and secure place to live in the cloud. It also means that our information security management practices adhere to strict, internationally recognized best practices.

ISO/IEC 27018: This certifies that SoftLayer follows the most stringent code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. It establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment. While not all of SoftLayer is public and while we have very distinct definitions for processing PII for customers, we decided to obtain the certification to solidify our security and privacy principles as robust.

ISO/IEC 27017: This is a code of practice for information security controls for cloud services.  It’s the global standard for cloud security practices—not only for what SoftLayer should do, but also for what our customers should do to protect information. SoftLayer’s ISO 27017 certification demonstrates our continued commitment to upholding the highest, most secure information security controls and applying them effectively and efficiently to our cloud infrastructure environment. The standard provides guidance in, but not limited to, the following areas:

  • Information Security
  • Human Resources
  • Asset Management
  • Access Control
  • Cryptography
  • Physical and Environmental Security
  • Operations Security
  • Communications Security
  • System Acquisition, Development & Maintenance
  • Supplier Relations
  • Incident Management
  • Business Continuity Management
  • Compliance
  • Network Security

How can SoftLayer’s ISO certification benefit me as a customer?

Customers can leverage SoftLayer’s certifications as long as it’s done in the proper manner. Customers cannot claim that they’re ISO certified just because they’re using SoftLayer infrastructure. That’s not how it works. SoftLayer’s ISO certifications may make it easier for customers to become certified because they can leverage our certification for the SoftLayer boundary. Our SOC2 report (available through our customer portal or sales team) describes our boundary in greater detail: the customers are not responsible for certifying what’s inside SoftLayer’s boundary.  

ISO File

How does SoftLayer prove its ISO compliance?

SoftLayer’s ISO Certificates of Registration are publicly available on our website and on our third-party assessor’s website. By design, our ISO certificates denote that we conform to and meet all the applicable objectives of each standard. Since the ISO standards are steadfast and constant controls for everyone, we don’t offer our reports from the audits, but we can provide our certificates.

What SoftLayer data centers are applicable to the ISO certifications?

All of them! Each ISO certificate is applicable to every one of our data centers, in the U.S. and internationally. SoftLayer obtained ISO certifications on every one of our facilities because we operate with consistency across the globe. When a new SoftLayer data center comes online, there is some lag time between opening and certification because we need to be reviewed by our third-party assessor and have operational evidence available to support our data center certification. But as soon as we obtain the certifications, we’ll make them available.

Visit for a full list of our certifications and reports. They can also be found through the customer portal.



December 17, 2015

Xen Hypervisor Maintenance - December 2015

Security of your assets on our cloud platform is very important to the SoftLayer team. Last week, our Security Operations Center – which provides real time monitoring of suspicious activity (including being part of multiple security pre-disclosure lists) – alerted our engineering team to a potential vulnerability (advisory CVE-2015-8555 / XSA-165) in the Xen Hypervisor that if left un-remediated could allow a malicious user to access data from another VSI guest sharing the same hardware node and hypervisor instance.

Upon learning of this vulnerability, SoftLayer issued a notification including a per-data center schedule for applying critical maintenance to remediate the vulnerability. Our schedule was performed over multiple days and on a POD-by-POD basis with individual VM instances being offline for minutes while they rebooted. The updates were completed successfully in all data centers in advance of the public announcement of this vulnerability.

While deployment techniques such as clustering and failover across data centers and PODs allows continuous operations during a planned or unplanned event, you should be aware that SoftLayer is committed to working aggressively to further reduce the impact of events on your deployment and operations teams.

We value your business and will continue to take actions that insure your environment is secure and efficient to operate. If you have any questions or concerns, don't hesitate to reach out to SoftLayer support or your direct SoftLayer contacts.


November 2, 2015

The multitenant problem solver is here: VMWare 6 NSX on SoftLayer

We’re very excited to tell you about what’s coming down the pike here at SoftLayer: VMWare NSX 6! This is something that I’ve personally been anticipating for a while now, because it solves so many issues that are confronted on the multitenant platform. Here’s a diagram to explain exactly how it works:

As you can see, it uses the SoftLayer network, the underlay network and fabric, and uses NSX as the overlay network to create the SDN (Software Defined Network).

What is it?
VMware NSX is a virtual networking and security software product from VMware's vCloud Networking and Security (vCNS) and Nicira Network Virtualization Platform (NVP). NSX software-defined networking is part of VMware's software-defined data center concept, which offers cloud computing on VMware virtualization technologies. VMware's stated goal with NSX is to provision virtual networking environments without command line interfaces or other direct administrator intervention. Network virtualization abstracts network operations from the underlying hardware onto a distributed virtualization layer, much like server virtualization does for processing power and operating systems. VMware vCNS (formerly called vShield) virtualizes L4-L7 of the network. Nicira's NVP virtualizes the network fabric, L2 and L3. VMware says that NSX will expose logical firewalls, switches, routers, ports, and other networking elements to allow virtual networking among vendor-agnostic hypervisors, cloud management systems, and associated network hardware. It also will support external networking and security ecosystem services.

How does it work?
NSX network virtualization is an architecture that enables the full potential of a software-defined data center (SDDC), making it possible to create and run entire networks in parallel on top of existing network hardware. This results in faster deployment of workloads and greater agility in creating dynamic data centers.

This means you can create a flexible pool of network capacity that can be allocated, utilized, and repurposed on demand. You can decouple the network from underlying hardware and apply virtualization principles to network infrastructure. You’re able to deploy networks in software that are fully isolated from each other, as well as from other changes in the data center. NSX reproduces the entire networking environment in software, including L2, L3 and L4–L7 network services within each virtual network. NSX offers a distributed logical architecture for L2–L7 services, provisioning them programmatically when virtual machines are deployed and moving them with the virtual machines. With NSX, you already have the physical network resources you need for a next-generation data center.

What are some major features?
NSX brings an SDDC approach to network security. Its network virtualization capabilities enable the three key functions of micro-segmentation: isolation (no communication across unrelated networks), segmentation (controlled communication within a network), and security with advanced services (tight integration with leading third-party security solutions).

The key benefits of micro-segmentation include:

  1. Network security inside the data center: Fine-grained policies enable firewall controls and advanced security down to the level of the virtual NIC.
  2. Automated security for speed and agility in the data center: Security policies are automatically applied when a virtual machine spins up, moved when a virtual machine is migrated, and removed when a virtual machine is deprovisioned—eliminating the problem of stale firewall rules.
  3. Integration with the industry’s leading security products: NSX provides a platform for technology partners to bring their solutions to the SDDC. With NSX security tags, these solutions can adapt to constantly changing conditions in the data center for enhanced security.

As you can see, there are lots of great features and benefits for our customers.

You can find more great resources about NSX on SoftLayer here. Make sure to keep your eyes peeled for more great NSX news!


June 22, 2015

3 Reasons Citrix NetScaler Should Be in Your PCI DSS Compliant Application Stack at SoftLayer

Whether you already process credit card information or are just starting to consider it, you’ve likely made yourself familiar with the Payment Card Industry Data Security Standard (PCI-DSS). The PCI-DSS’s 12 requirements (plus one appendix for service providers) outlines what you need to do to have a compliant workload and to pass your audits.

While SoftLayer handles the physical access and security aspects on our platform, we also offer tools to supplement your internal tools and processes to help you maintain PCI-DSS compliance such as the Citrix NetScaler VPX and MPX Platinum Edition product line.

Unique Features NetScaler Offers That Support PCI-DSS

  1. Mask Payment Account Numbers (PANs)
  2. With NetScaler Platinum Edition it’s possible to configure the device to block or mask PANs to prevent leakage of cardholder data—even if your application is attempting to present the data to a user. This is extremely useful when adhering to PCI-DSS Section 3.3—the first six and last four digits are the maximum number of digits to be displayed.

    NetScaler provides reporting as well so that your developers can tighten up that aspect of your application for more identification protection.

  3. Detect and Prevent Web-based Attacks
  4. By deploying a Web application firewall into your application stack, you can fully comply with PCI-DSS Section 6.6, which requires addressing new threats and vulnerabilities on an ongoing basis and ensuring these applications are protected against known attacks. The NetScaler Application Firewall module included in Platinum Edition provides continuous protection and can dynamically adjust to changes in your application code.

  5. Prevent Buffer Overflow, XML Security, Cross Site Scripting, & SQL Injection
  6. The NetScaler Web Application Firewall helps close the door on many common coding vulnerabilities outlined in PCI-DSS Section 6.5. By utilizing XML security protections, form tagging, dynamic context sensitive protections, and deep stream inspection, you can block, log, and report on these common security vectors and ensure your development team can shore up you applications

How to Order
SoftLayer offers Citrix NetScaler VPX Standard and Platinum Editions in multiple bandwidth packages—10Mbps, 200Mbps, and 1Gbps. Order these quickly and easily from your customer portal devices page (click order devices, scroll to networking devices, and select Citrix NetScaler).

SoftLayer also provides the NetScaler MPX for customers that require a dedicated hardware appliance running the NetScaler OS that can handle thousands of concurrent SSL transactions. To order the MPX product, chat with one of our sales advisors.

Be sure to take a look at some of the other features included with Citrix NetScaler.

Learn More About PCI-DSS
SoftLayer supports PCI workloads by providing the physical security required in the DSS. Within the customer portal you’re able to pull our most recent SOC 2 Type II audit report. You can use this as part of your compliance strategy. The rest is up to you to take advantage of the tools and services to make sure you meet the remaining PCI standards. Additionally, when you’re working with your PCI-DSS qualified security assessor, we can also provide an Attestation of Compliance.

For more information on compliance standards, check out


May 14, 2015

Update - VENOM Vulnerability

Yesterday, a security advisory designated CVE-2015-3456 / XSA-133 was publicly announced. The advisory identified a vulnerability, which has become commonly known as "VENOM", through which an attacker could exploit floppy driver support in QEMU to escalate their privileges.

SoftLayer engineers, in concert with our technology partners, completed a deep analysis of the vulnerability and determined that SoftLayer virtual servers are not affected by this issue.

We're always committed to ensuring our customers' operations and data are well protected. If customers have any questions or concerns, don't hesitate to reach out to SoftLayer support or your direct SoftLayer contacts.


January 15, 2015

Hot in 2015: Trends and Predictions

As cloud technology moves into 2015, the pace of innovation in the cloud space continues to accelerate faster and faster. Being no stranger to innovation ourselves, we’ve got our collective finger on the pulse of what’s up and coming. Here are some trends we see on the horizon for cloud in 2015.

Hybrid cloud
As more and more workloads move to the cloud, many companies are looking for a way to leverage all of the value and economies of scale that the cloud provides while still being able to keep sensitive data secure. Hybrid cloud solutions, which can mean an environment that employs both private and public cloud services, on- and off-prem resources, or a service that combines both bare metal and virtual servers, will continue to grow in popularity. With 70 percent of CIOs planning to change their company’s sourcing and technology relationship within the next three years, Gartner notes that hybrid IT environments will dominate the space as they offer many of the benefits of legacy, old-world environments but still operate within the new-world as-a-service model.

Read more:
+IBM Hybrid Clouds

Bare metal
In 2015, the term bare metal will be officially mainstream. Early on, bare metal servers were seen as a necessity for only a few users, but now it has become the ideal solution for processor-intensive and disk I/O-intensive workloads like big data and analytics. We’ve been in the business of bare metal (formerly called dedicated servers) for 10 years now, and we’re happy to see the term become a standard part of the cloud dialogue. As cloud workloads get tougher and more complex in 2015, companies will continue to turn to bare metal for its raw performance.
Security has been a hot topic in the news. In 2014, major retailers were hacked, certain celebrity photos were leaked, and issues surrounding government surveillance were in the spotlight. More than ever, these incidents have reminded everyone that the underlying architectures of the Internet are not secure, and without protections like firewalls, private networks, encryption, and other security features, private data isn’t truly private. In response to these concerns, tech companies will offer even higher levels of security in order to protect consumers’ and merchants’ sensitive data.

Read more:
+SoftLayer Cloud Security

Big data
Big data moves from hype and buzzword status to mainstream. The cloud industry has seen a change in the way big data is being put to work. It’s becoming more widely adopted by organizations of all types and sizes, in both the public and private sectors. One such organization is the Chicago Department of Public Health, which is using predictive analytics and data to experiment and improve food inspection and sanitation work. The city’s team has developed a machine-learning program to mine Twitter for tweets that use words related to food poisoning so that they can reply directly to posters, encouraging them to file a formal report. We’ll see much more of this kind of smart application of big data analytics to real-life problems in the year to come.

Read more:
+ In Chicago, Food Inspectors are Guided by Big Data

Docker is an open platform for developers and system administrators to build, ship, and run distributed applications. It enables apps to be quickly assembled from components and eliminates the friction between development, QA, and production environments. Streamlining workflow, the Docker software container allows developers to work on the exact same deployment stack that programmers use and contains all the dependencies within it. It can also be moved from bare metal to hybrid cloud environments—positioning it to be the next big thing on the cloud scene in 2015. IBM has already capitalized on Docker’s simplicity and portability by launching its IBM Containers service, part of Bluemix, last month. IBM Containers will help enterprises launch Docker containers directly onto the IBM Cloud via bare metal servers from SoftLayer.

Read more:
+At DockerCon Amsterdam, an Under Fire Docker Makes a Raft of Announcements

Health care
The medical and health care industries will continue to adopt cloud in 2015 to store, compute, and analyze medical data as well as address public concerns about modernizing record-keeping and file-sharing practices. The challenge will be keeping patients’ sensitive medical data secure so that it can be shared among health care providers, but kept safely away from hackers.

Read more:
+Coriell Life Sciences

Data sovereignty
In order to comply with local data residency laws in certain regions, many global companies are finding it necessary to host data in country. As new data centers are established worldwide, it’s becoming easier to meet data sovereignty requirements. As a result of launching new data centers, cloud providers are increasing the size and power of their network—creating even lower latency connections—and creating an even more competitive cloud marketplace. As a result, smaller players might be left in the dust in 2015.

Read more:
+ Cloud Security Remains a Barrier for CIOs Across Europe

Last, but certainly not least, 2015 will see an aggressive move to the cloud by enterprise organizations. The cost- and timing-saving benefits of cloud adoption will continue to win over large companies.

Read more:
+IBM Enterprise Cloud System

Looking Ahead
Martin Schroeter, senior vice president and CFO, finance and enterprise at IBM has projected approximately $7 billion in total cloud-related sales in 2015, with $3 billion of that coming from new offerings and the rest from older products shifted to be delivered via the cloud.

SoftLayer will continue to match the pace of cloud adoption by providing innovative services and products, signing new customers, and launching new data centers worldwide. In Q1, our network of data centers will expand into Sydney, Australia, with more to come in 2015.

Read more:
+IBM’s Cloud-Based Future Rides on Newcomer Crosby
+InterConnect 2015


January 6, 2015

Three Ways to Enhance Your SoftLayer Portal Account Security

We’ve recently discussed how to craft strong passwords and offered advice on choosing a password manager, but we haven’t yet touched on multi-factor authentication (MFA), which has been available to our customers for many years now.

What is MFA?
MFA is another line of defense for securing your user accounts within the customer portal. The concept behind MFA is simple: Users present two (or more) ways to authenticate themselves by providing something known such as a user name and password and providing something possessed such as a one-time password generated by a device or software application.
Why is MFA important?
Keeping passwords secure has always been a moving target. While you can train staff and enforce complex password policies, it’s difficult to prevent users from writing passwords down, saving them to files, or sharing them with others. By adding MFA, simply having a user password doesn't grant access to the resource. A user will need the user password in addition to a MFA token device, smartphone, or application.
What MFA options are available at SoftLayer?
SoftLayer offers three MFA methods to enhance portal account security:
Symantec Validation and ID Protection (VIP) – After downloading this app to a smartphone, when accessed, it will generate a one-time password. This product can be used to securely access the SoftLayer portal. The app is $3 a month per user.

PhoneFactor – A unique system where a one-time password is texted to a mobile phone. Users also have the option of receiving a phone call to input a PIN before receiving a one-time password. This can be used to access the portal as well as the SoftLayer SSL VPN. PhoneFactor costs $10 a month per user.

Google Authenticator – Another smartphone application with generated one-time passwords, can also be used to securely access the SoftLayer portal. This can be added for any user on an account free of charge.

Quickly Add MFA to SoftLayer Portal Users Today
It’s easy to add any of these MFA services to portal user accounts.

To add Symantec VIP or PhoneFactor:
  1. Log in to SoftLayer portal as the master user.
  2. Under the Account Tab click on Users.
  3. In the right hand column for each user, click the Actions icon and select Add External Authentication. You’ll then be able to subscribe to Symantec or PhoneFactor for that user.
To add Google Authenticator:
  1. Log in to SoftLayer portal as the master user.
  2. From the Accounts dropdown menu, select Users and then select your user account name.
  3. Scroll down and click the link to Add Google Authenticator to your account.
  4. From there, just snap the QR code with your GA application and you’re all set. The next time you log in you’ll be prompted to enter your authentication code after entering your username and password.

Any of these three MFA solutions will help ensure that your portal user accounts are secure, are easy to set up, and quick to install. Feel free to reach out if you have any suggestions or questions about MFA with SoftLayer.

- Seth

December 10, 2014

Password Managers: One Password To Rule Them All

From banking to social media to gaming, the amount of accounts we have today is growing out of control. Let’s be honest—it’s easy to use the same password or a variation of the same password for all online accounts, but if a hacker can break one of those passwords, they are one step closer to hacking every account.

Who really has the memory to store all those passwords anyway?

That’s where a password manager can help. It controls access by storing (online or locally) every password in an encrypted file that is only accessible by one strong master password.

When a user wants access to their SoftLayer account for example, the password manager will ask for the master password instead of the SoftLayer account password. It automatically populates the username and password fields and logs in.

Password managers are very convenient, but more importantly they enhance security because of the ability to use longer and harder passwords without worrying about forgetting or writing them down on sticky notes posted to a desktop screen.

Do I need a cross-platform password manager?
Today, most people access the same accounts on desktops, tablets, and mobile devices. If that’s you, then yes, you need a cross-platform solution. These Web-based options require yearly subscriptions upwards of $50 for a single user. The convenience of logging in anywhere might be steep, but the additional features might make it worth it. Password managers like Dashlane, LastPass, 1Password, and mSecure offer:

  • Secure storage of bank cards and any identity cards like driver licenses
  • Password generators
  • Keystroke logger protection
  • Automatic backup
  • Multifactor authentication like biometrics or a token
  • Access to pre-determined contacts in case of emergency or death
  • Team password sharing (the team lead controls the master password for a single account like a FedEx account and grants access via the users individual password manager)

Do I need a locally-based password manager?
If you’re not comfortable storing passwords online or you just use your desktop to access accounts, choose a password manager that encrypts and stores passwords on your PC. This option is the least convenient but most secure. All password managers listed above come in the locally-based option for free or at a fraction of the cross-platform price.

User Error
Although much more secure than not using one, password managers do have some downfalls (that stem from user error). Just like any password, you still need to change your master password regularly, never share passwords with anyone, and once installed, a user should update existing passwords with really hard forgettable passwords or use a password generator for each online account.

And always remember to lock your computer or mobile device when not in use. Although password managers make it harder for hackers to virtually access your accounts, they do not protect against someone physically opening the file.

It’s also a good idea to check settings to ensure that when booting or waking up your device, the password manager requires you to re-enter the password.

Pa$$word1 ain’t cutting it.
If you’re not ready to commit to a password manager, think about the consequences the next time you are prompted to update your password. Adding a “1” to the end of your current password isn’t safe or smart.

We’ve all been there, and committing to a password manager in some cases is expensive and setting one up can be time consuming depending on the amount of accounts, so I understand the hesitation. But it’s worth it for that added layer of protection and security.


September 18, 2014

The Cloud Doesn't Bite, Part III

Why it's OK to be a server-hugger—a cloud server hugger.

(This is the final post in a three-part series. Read the first and second posts here.)

By now, you probably understand the cloud enough to know what it is and does. Maybe it's something you've even considered for your own business. But you're still not sold. You still have nagging concerns. You still have questions that you wish you could ask, but you're pretty sure no cloud company would dignify those questions with an honest, legitimate response.

Well we’re a cloud company, and we’ll answer those questions.

Inspired by a highly illuminating (!) thread on Slashdot about the video embedded below, we've noticed that some of you aren't ready to get your head caught up in the cloud just yet. And that's cool. But let's see if maybe we can put a few of those fears to rest right now.

“[The] reason that companies are hesitant to commit all of their IT to the cloud [relates to] keeping control. It's not about jobs, it's about being sure that critical services are available when you need them. Whenever you see ‘in the CLOUD!’, mentally replace it with ‘using someone else's server’—all of a sudden it looks a whole lot less appealing. Yes, you gain some flexibility, but you lose a LOT of control. I like my data to not be in the hands of someone else. If I don't control the actual machine that has my data on it, then I don't control the data.”

You guys are control FREAKS! And rightfully so. But some of us actually don't take that away from you. Believe it or not, we make it easier for you.

In fact, sometimes you even get to manage your own infrastructure—and that means you can do anything an employee can do. You'll probably even get so good at it that you'll wonder why we don't pay you.

But it doesn't stop at mere management. Oh, no, no, no, friends. You can even take it one further and build, manage, and have total control over your very own private cloud of virtual servers. Yes, yours, and yours only. Now announcing you, the shot caller.

The point is, you don't lose control over your data in the cloud. None. 'Cause cloud companies don't play like that.

“The first rule of computer security is physical access, which is impossible with cloud services, which means they are inherently insecure.”

Curious. So since you can't physically touch your money in your bank account, does that mean it's a free-for-all on your savings? Let us know; we'll bring buckets.

“These cloud guys always forget to mention one glaring problem with their model— they're not adding any new software to the picture.”

Ready for us to blow your minds? We're actually adding software all the time; you just don't see it—but you do feel it.

Your friendly Infrastructure as a Service (IaaS) providers out there are doing a lot of development behind the scenes. An internal software update might let us deploy servers 10 minutes faster, for example. You won't see that, but that doesn't mean it's not happening. If you're happy with your servers, then rest assured you're seeing some sweet software in action. Some cloud companies aren't exclusively focused on software (think Salesforce), but that doesn't mean the software is dial-up grade.

“I personally don't trust the cloud. Think about it for a moment. You are putting your data on a server, and you have no clue as to where it is. You have no clue about who else is able to see that data, and you have no clue about who is watching as you access your data and probably no clue if that server is up to date on security patches.”

Just ask. Simply ask all these questions, and you'd have all these answers. Not to be cheeky, but all of this is information you can and do have a right to know before you commit to anything. We're not sure what makes you think you don't, but you do. Your own due diligence on behalf of your data makes that a necessity, not a luxury.

“As long as I'm accountable, I want the hardware and software under my control. That way when something goes wrong and my boss calls and asks 'WTF?', I can give him something more than ’Well I called Amazon and left a message with our account representative.’"

We can't speak for Amazon, but cloud companies often offer multiple ways you can get a hold of a real, live person because we get that you want to talk to us, like, yesterday. Yes, we totally get you. And we want to fix whatever ails you. In the cloud, that is.

But what makes you think we won't know when something goes wrong before you do? (Checkmate.)

“No matter how much marketing jargon you spew at people, ‘the cloud’ is still just a bunch of servers. Stop lying.”

Why yes, yes, it is. Who's lying to you about that? You're right. "They" should stop lying.

The concept of "the cloud" is simply about where the servers are located and how you consume computing, storage, and networking resources. In "the cloud," your servers are accessed remotely via a network connection (often the Internet, for most of the clouds you know and love) as opposed to being locally accessed while housed in a server room or physical location on the company premises. Your premises, as in wherever you are while performing your computing functions. But no one's trying to pull the wool over your eyes with that one.

Think about it this way: If servers at your location are "on the ground," then servers away from your location can be considered "in the cloud." And that's all there is to it.

Did we help? Did we clear the cloudy haze? We certainly hope so.

But this is just the beginning, and our door is always open for you to question, criticize, and wax philosophical with us when it comes to all things cloud. So get at us. You can chat with us live via our homepage, message us or post up on Facebook, or sling a tweet at a SLayer. We've got real, live people manning their stations. Consider the gauntlet thrown.


Subscribe to security