Table of Contents Table of Contents
Previous Page  85 / 96 Next Page
Information
Show Menu
Previous Page 85 / 96 Next Page
Page Background

W H I T E P A P E R

© 2017 Persistent Systems Ltd. All rights reserved. 85

www.persistent.com

7.3.3.2 Security

If sensitive data such as medical records or financial information can’t be put on a public cloud but the customer

wants to take advantage of public cloud scalability, flexibility and fast ramp-up, consider implementing a hybrid

cloud architecture. This way customer can slice sensitive data out from non-sensitive data and store the former in

private storage (on premises or in a private cloud) and the latter in the public cloud. Customers can address the

performance issues of this data split by locating their private infrastructure within a colocation facility close to the

public cloud of their choice. As mentioned in the above section, consider using a network provider to further reduce

latency.

Cloud DW may contain data for multiple source tenants or customers. It is recommended to separate the multi-

tenant DWsystems by either

Sharing the schema among all tenants, partitioning a table by tenant-id and injecting filter clauses by

tenant-id to each SQL request, or

Separate table for each tenant, or

Separate database schema for each tenant

For stronger isolation guarantees, consider using Virtual Private Networks.

Perform frequent operational readiness checks in terms of system surveillance and incident management for

system failure, as well as incidents such as fire or other crises, business continuity plans, and how often and

what kind of vulnerability assessments are to be performed.

Manage user accounts – Ensuring that users have appropriate levels of permissions to access the resources

they need, but nomore than that, is an important part. These can be ensured by creating cloud accounts.

Manage OS-level access to the Virtual Machine instances or images.

Platform and application security: This should include intrusion detection; support for secure connectivity via

VPN, SSL, and others; and role-based access controls.

Data security: This includes provisions for controls to maintain the integrity of data and for secure transmission

of data using encryption or other techniques.

Security measures that rely on encryption do require public-private keys. In the cloud, as in an on-premises

system, it is essential to keep keys secure. You can use existing processes to manage encryption keys in the

cloud, or you can leverage server-side encryption with Cloud vendor provided key management and storage

capabilities.

Always change vendor-supplied defaults before creating new images or prior to deploying new applications

Remove or disable unnecessary user accounts

Enable only necessary and secure services, protocols, daemons, etc., as required for the functioning of the

system. Disable all non-essential services, because they increase the security risk exposure for the instance,

as well as the entire system.

Disable or remove all unnecessary functionality, such as scripts, drivers, features, subsystems, EBS volumes,

and unnecessary web servers.

1 80 81 82 83 84 85 86 87 88 89 90 91 96  FlippingBook