If you do a Google search on ‘Cloud Computing Security’ you will get about 13,600,000 results and that’s too much of information for anyone to start. So let’s try to summarize the information keeping in mind of CSO’s concerns on cloud computing.
What is Cloud Computing?
In simple words, ‘Cloud Computing' is a collection of Internet or private-network based services, providing users and devices with scalable & economical (pay-as-you-go) information technology capabilities. The services offered by the cloud can be email hosting, email security, software development platforms, CRM, virtualized servers and storage, etc.
Even though there are multiple deployment models for cloud computing, the most common and popular are private and public clouds. The best example for private cloud is Defense Information Systems Agency (DISA) cloud and for public cloud is Google Apps and Amazon Elastic Compute Cloud (Amazon EC2). Major cloud computing categories can include software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).
Cloud computing is poised for significant growth over the next few years. Gartner, for example, projected in March 2009 that sales of cloud computing services would almost triple over five years, from $56 billion in revenues in 2009 to $150 billion in revenues in 2013.
So what are the major security concerns?
· User Privileges
When your data is in cloud, it will be possible for cloud administrators to have privileged access to your data and sometimes these users will have malicious intention which will result in data loss or data leakage. As enterprises don’t have complete control of the data processed outside of the enterprise, ensure that enough information is collected of people who administer the systems and data in cloud. Ask, whether the vendors have Individual Screening Policy and Confidentiality agreements with potential employees.
· Incident Handling
As clouds follow multi-tenant model with services scattered in the cloud incident handling can be difficult. Make sure that you are aware of how the cloud provider handling logs and how much they can support in case if incidents.
· Logical data separation
While in cloud, all data separation is logical and this will bring risks associated with sharing data storage. Check that whether proper encryption and access controls are implemented for your critical data.
· Application related risks
When applications are shared there can be security issues due to Insecure Interfaces and APIs. As the application moves from internal to external model the risk will increase as application exposure is high. Ensure that SaaS applications are used as stand-alone services, with no integration with other applications or other PaaS or IaaS services. Be aware of SaaS API’s using REST (REpresentational State Transfer) model, as REST doesn’t have any predefined security methods.
· Network related risks
When your application moves from internal to external, the network exposure and dependency on network increases. The best examples can be man-in-the-middle attack or DDoS attack targeted against your internet gateway or your cloud provider’s gateway which will result in service outage.
· Disaster Recovery
Make sure you are aware of disaster recovery options provided by your cloud provider.
Whether it’s for regulatory compliance or any other legal requirement, customers are fully responsible for the confidentiality, integrity and availability of their own data. So make sure that you know how the cloud provider is handling your data.
Because of all the above security concerns, can we say that its not good to go for cloud computing? The answer is no and the best approach will be to start with moving less critical services to the cloud as well as make sure that you are fully aware of what the cloud service provider is providing. Further do proper due diligence and ask for specific certifications like SAS70 Type II or ISO 27001 achieved by the provider. Even though SAS70 certification does not guarantee everything is fine with the provider, it can be a starting point.