This white paper presents an architecture for building the next generation of web applications. This architecture allows you to leverage emerging technologies such as cloud computing, cloud storage and enterprise key management infrastructure (EKMI) to derive benefits such as lower costs, faster time-to-market and immense scalability with smaller investments – while proving compliance to PCI-DSS, HIPAA/HITECH and similar data security regulations. This is our approach to a hybrid cloud security architecture, also known as “Regulatory Compliant Cloud Computing,” or RC3.
It should be apparent that the cloud is not as secure as you thought it might be: Capital One and Uber are two of the more well-known breaches to sensitive data in the cloud. Even if you've spent an inordinate amount of time and money in securing your information in the cloud, zero-day vulnerabilities happen...and the cloud is like a neon sign to attackers while your on-prem environment is analogous to the faltering bulb on your front porch. While we're not advocating moving out of the cloud, we've defined an application architecture that enables you to take advantage of the best the cloud has to offer while ensuring your sensitive data cannot be compromised in the cloud.
SMARTER, NOT HARDER
The emergence of cloud computing as an alternative deployment strategy for IT systems presents many opportunities yet challenges traditional notions of data security. The fact that data security regulations are developing teeth, leaves information technology professionals perplexed on how to take advantage of cloud computing while proving compliance to regulations for protecting sensitive information.
There are many approaches to the problem, with the pole positions being: i) not using the cloud at all; or ii) embracing it completely. We believe, the optimal solution is in the middle: with sensitive data secured and managed within controlled zones, while non-sensitive data lives in clouds. This allows companies to prove compliance to data security regulations, while leveraging clouds – private or public – to the maximum extent possible.
This paper describes how a specific web application architecture optimizes IT investments by using cloud computing while complying with data security regulations.