70 - Blog - Global Risk Community2024-03-29T13:06:48Zhttps://globalriskcommunity.com/profiles/blogs/feed/tag/70Cloud Computing – Chief Security Officers (CSO) Concernshttps://globalriskcommunity.com/profiles/blogs/cloud-computing-chief2010-11-29T08:52:35.000Z2010-11-29T08:52:35.000ZBiji Scariahttps://globalriskcommunity.com/members/BijiScaria<div><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000"></font></span><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000">If you do a Google search on ‘Cloud Computing Security’ you will get about 13,600,000 results and that’s too much of information for anyone to start. So let’s try to summarize the information keeping in mind of CSO’s concerns on cloud computing.</font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000"><strong>What is Cloud Computing?</strong></font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000">In simple words, ‘Cloud Computing' is a collection of Internet or private-network based services, providing users and devices with scalable & economical (pay-as-you-go) information technology capabilities. The services offered by the cloud can be email hosting, email security, software development platforms, CRM, virtualized servers and storage, etc.</font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000">Even though there are multiple deployment models for cloud computing, the most common and popular are private and public clouds. The best example for private cloud is Defense Information Systems Agency (DISA) cloud and for public cloud is Google Apps and Amazon Elastic Compute Cloud (Amazon EC2). Major cloud computing categories can include software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS).</font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000">Cloud computing is poised for significant growth over the next few years. Gartner, for example, projected in March 2009 that sales of cloud computing services would almost triple over five years, from $56 billion in revenues in 2009 to $150 billion in revenues in 2013.</font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000"><strong>So what are the major security concerns?</strong></font></span></p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-size:11pt;line-height:115%;font-family:Calibri, 'sans-serif';"><font color="#000000"><span style="font-family:Symbol;"><span>· </span></span><strong>User Privileges</strong></font></span></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">When your data is in cloud, it will be possible for cloud administrators to have privileged access to your data and sometimes these users will have malicious intention which will result in data loss or data leakage. As enterprises don’t have complete control of the data processed outside of the enterprise, ensure that enough information is collected of people who administer the systems and data in cloud. Ask, whether the vendors have Individual Screening Policy and Confidentiality agreements with potential employees.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Incident Handling</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">As clouds follow multi-tenant model with services scattered in the cloud incident handling can be difficult. Make sure that you are aware of how the cloud provider handling logs and how much they can support in case if incidents.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Logical data separation</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">While in cloud, all data separation is logical and this will bring risks associated with sharing data storage. Check that whether proper encryption and access controls are implemented for your critical data.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Application related risks</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">When applications are shared there can be security issues due to Insecure Interfaces and APIs. As the application moves from internal to external model the risk will increase as application exposure is high. Ensure that SaaS applications are used as stand-alone services, with no integration with other applications or other PaaS or IaaS services. Be aware of SaaS API’s using REST (REpresentational State Transfer) model, as REST doesn’t have any predefined security methods.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Network related risks</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">When your application moves from internal to external, the network exposure and dependency on network increases. The best examples can be man-in-the-middle attack or DDoS attack targeted against your internet gateway or your cloud provider’s gateway which will result in service outage.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Disaster Recovery</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt;text-indent:.25in;">Make sure you are aware of disaster recovery options provided by your cloud provider.</p><p class="MsoListParagraph" style="margin:0in 0in 10pt .5in;text-indent:-.25in;"><span style="font-family:Symbol;"><span>· </span></span><strong>Legal</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt .25in;">Whether it’s for regulatory compliance or any other legal requirement, customers are fully responsible for the confidentiality, integrity and availability of their own data. So make sure that you know how the cloud provider is handling your data.</p><p class="MsoNormal" style="margin:0in 0in 10pt;"><strong>Conclusion.</strong></p><p class="MsoNormal" style="margin:0in 0in 10pt;">Because of all the above security concerns, can we say that its not good to go for cloud computing? The answer is no and the best approach will be to start with moving less critical services to the cloud as well as make sure that you are fully aware of what the cloud service provider is providing. Further do proper due diligence and ask for specific certifications like SAS70 Type II or ISO 27001 achieved by the provider. Even though SAS70 certification does not guarantee everything is fine with the provider, it can be a starting point.</p><p class="MsoNormal" style="margin:0in 0in 10pt;"></p></div>