Cloud Computing Security Challenges: How Ready Are You?
Cloud computing is here and has been adopted by many organizations. As defined by the US National Institute of Standards and Technology (NIST), cloud computing is “a model for enabling convenient, on-demand network access to a shared set of configurable computing resources (for example, networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or interaction with the service provider.” [1]. Cloud computing is basically about outsourcing IT resources just like you would outsource utilities like electricity or water from a shared public network. Cloud service options include:
Software as a Service (SaaS)– Whereby the consumer uses the cloud provider’s applications that run on a cloud infrastructure and the applications are accessible from various customer devices through a thin client interface, such as a web browser (for example, Web based email).
Platform as a Service (PaaS):Here the consumer deploys their own applications on the provider’s infrastructure. This option allows the customer to create business applications and quickly bring them online. It includes services like email campaign management, sales force automation, employee management, vendor management, etc.
Infrastructure as a Service (IaaS): The consumer has access to processing, storage, networking, and other critical computing resources where the consumer can deploy and run arbitrary software, which may include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure, but does have control over the operating systems; storage, deployed applications, and possibly limited control of selected network components (for example, host firewalls).
Cloud computing has become popular because companies are constantly looking to reduce costs by outsourcing storage, software (as a service) to third parties, allowing them to focus on their core business activities. With cloud computing, companies save on setting up their own IT infrastructure, which would otherwise be costly in terms of initial investment in hardware and software, as well as ongoing maintenance costs and human resources.
According to the Gartner report on cloud security [2]Businesses require a new set of skills to handle cloud security challenges. Businesses need to ensure that their cloud service provider has most of the “boxes checked” and that their security concerns are addressed. With cloud computing being a somewhat new field of IT with no specific standards for data security or privacy, cloud security continues to present managers with various challenges. Your provider needs to be able to address some of the issues that arise, including:
Access control/user authentication: How does your cloud service provider manage access control? To be more specific, do you have options for role-based access to cloud resources? How is the password management process handled? How does that compare to your organization’s information security policy on access control?
Normative compliance: How do you reconcile regulatory compliance issues regarding data in a totally different country or location? What about data logs, events, and monitoring options for your data? Does the provider allow audit trails that might be a regulatory requirement for your organization?
legal issues: Who is responsible in case of data breach? How is the legal framework in the country where your cloud provider is located, visa vi your own country? What contracts you have signed and what topics you have covered/discussed with the provider in case of legal disputes. What about local laws and the jurisdiction where the data is stored? Do you know exactly where your data is stored? Are you aware of the conflicting rules on data and privacy? Have you asked your provider all the right questions?
data security: Is your data safe in the cloud? What about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud? What are the encryption options offered by the provider? Another important question to ask is; Who is responsible for encryption/decryption keys? [3]. You will also find that cloud providers work with other third parties, who may have access to your data. Have you had all of these concerns addressed by your provider?
Data separation/segregation: Your provider may host your data together with data from several other customers (multi-user). Have you been given verifiable assurance that this data is segregated and separate from the data of the provider’s other customers? According to the Gartner report, it is good practice to find out “what is being done to segregate data at rest.” [2]
business continuity: What is the acceptable downtime of the cloud service that you have agreed with your provider? Do these downtimes compare well with your organization’s acceptable downtime policy? Are there any penalties/compensation for downtime that could lead to loss of business? What measures does your provider implement to ensure business continuity and availability of your data/services that are hosted on their cloud infrastructure in the event of a disaster? Does your provider have options for multi-site data replication? How easy is it to restore data should the need arise?
Cloud service providers have increased their efforts to address some of the most pressing issues related to cloud security. In response to security challenges in the cloud, a non-profit umbrella organization called the Cloud Security Alliance was formed, some of its members include: Microsoft, Google, Verizon, Intel, McAfee, Amazon, Dell, HP, among others, its mission is “To promote the use of best practices to provide security assurance within cloud computing and to provide education on the uses of cloud computing to help protect all other forms of computing.” [4]
As more and more organizations move to the cloud for web-based applications, storage, and communications services for mission-critical processes, there is a need to ensure that cloud security issues are addressed.
References
1. National Institute of Standards and Technology, N., cloud Computing Definition, IT Lab, Publisher. 2009.
2. Gartner (2008) Cloud Computing Security Risk Assessment
3. Rittinghouse, JW and JF Ransome, Cloud computing: implementation, management and security. 2009., New York: Auerbach Publications.
4. Alliance, CS Cloud Security Alliance. 2011; Available at: https://cloudsecurityalliance.org/.
Leave a Reply