Share


Share

Share it !



share/bookmark

Security Challenges for Cloud Computing - How Prepared Are You?


Cloud computing is here, and has been embraced by many an organization. Cloud computing as defined by the US National Institute of Standards and Technology (NIST) is "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." [1]. Cloud computing is basically about outsourcing IT resources just like you would outsource utilities like Electricity or water off a shared public grid. The cloud services options include:

Software as a Service (SaaS): Whereby the consumer uses the cloud provider's applications running on a cloud infrastructure and the applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email).

Platform as a Service (PaaS):Here the consumer deploys their own applications on the provider's infrastructure. This option allows the customer to build business applications and bring them online quickly they include services like, Email Campaign management, Sales Force Automation, Employee management, Vendor management etc...

Infrastructure as a Service (IaaS): The consumer has access to processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems; storage, deployed applications, and possibly limited control of selected networking components (e.g., host firewalls).

Cloud computing has become popular because, Enterprises are constantly looking to cut costs by outsourcing storage, software (as a service) from third parties, allowing them to concentrate on their core business activities. With cloud computing, enterprises save on setting up their own IT infrastructure which would otherwise be costly in terms of initial investment on hardware and software, as well as continued maintenance and human resource costs.

According to the Gartner report on cloud security [2], Enterprises require new skill set and to handle the challenges of cloud security. Enterprises need to see to it that their cloud service provider has most of "the boxes ticked" and that they have their security concerns addressed. Cloud computing being a somewhat a new field of IT with no specific standards for security or data privacy, cloud security continues to present managers with several challenges. There is need for your provider to be able to address some of the issues that come up including the following:

Access control / user authentication: How is the access control managed by your cloud service provider? To be more specific, Do you have options for role based access to resources in the cloud,? How is the process of password management handled? How does that compare to your organization's Information security policy on access control?

Regulatory compliance: How do you reconcile the regulatory compliance issues regarding data in a totally different country or location? How about data logs, events and monitoring options for your data; does the provider allow for audit trails which could be a regulatory requirement for your organization?

Legal issues: Who is liable in case of a data breach? How is the legal framework in the country where your cloud provider is based, visa vi your own country? What contracts have you signed and what issues have you covered/discussed with the provider in case of legal disputes. How about local laws and jurisdiction where data is held? Do you know exactly where you data is stored? Are you aware of the conflicting regulations on data and privacy? Have you asked your provider all the right questions?

Data safety: Is your data safe in the cloud? How about the problems of Man-in-the-middle attacks and Trojans, for data moving to and from the cloud. What are the encryption options offered by the provider? Another important question to ask is; who is responsible for the encryption /decryption keys? [3]. Also you will find that cloud providers work with several other third parties, who might have access to your data. Have you had all these concerns addressed by your provider?

Data separation / segregation: Your provider could be hosting your data along with several other clients' (multi-tenancy).. Have you been given verifiable assurance that this data is segregated and separated from the data of the provider's other clients? According to the Gartner report, its a good practice to find out "what is done to segregate data at rest," [2]

Business continuity: What is the acceptable cloud service down time that you have agreed with your provider? Do these down times compare well with your organization acceptable down time policy? Are there are any penalties/ compensations for downtime, which could lead to business loss? What measures are in place by your provider to ensure business continuity and availability of your data / services that are hosted on their cloud infrastructure in case of disaster? Does your provider have options for data replication across multiple sites? How easy is restoring data in case a need arises?

Cloud services providers have increased their efforts in addressing some of the most pressing issues with cloud security. In response to cloud security challenges, an umbrella non-profit organization called the Cloud Security Alliance was formed, some of its members include: Microsoft, Google, Verizon, Intel, McAfee, Amazon, Dell, HP, among others, its mission is "To promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing" [4]

As more and more organizations move to the cloud for web-based applications, storage, and communications services for mission-critical processes, there is need to ensure that cloud security issues are addressed.

References

1. National Institute of Standards and Technology, N., Cloud Computing definition, I.T. Laboratory, Editor. 2009.

2. Gartner (2008) Assessing the Security Risks of Cloud Computing

3. Rittinghouse, J.W. and J.F. Ransome, Cloud Computing: Implementation, Management, and Security. 2009., New York: Auerbach Publications.

4. Alliance, C.S. Cloud Security Alliance. 2011; Available from: https://cloudsecurityalliance.org/.




About the Author

Mr. Thomas Bbosa, CISSP, is an Information Systems security Consultant and Managing Partner with BitWork Consult Ltd - ( http://www.bitworkconsult.com ) a leading East African IT security consulting firm, based in Kampala, Uganda. He is a certified Information Systems Security Professional (CISSP), with over 12 years Experience in the IT industry. He has been involved in various roles of IT infrastructure management and support, Information systems Security management & solutions deployment.