Cloud Security Questions?
Here are some answers
Mar. 24, 2010 05:45 AM
For companies considering a transition to cloud computing (CC), one of the major concerns is (or should be) security. If addressed properly while selecting a cloud computing provider or cloud provider (CP), security can actually improve for many companies. For many firms, a cloud computing provider can provide better security than their in-house facilities. This is because the CPs are devoting huge resources to making security a non-issue for customers and, in fact, a selling point versus other CPs. With billions of dollars of potential business at stake, CPs are going to do their best to secure their environment. However, there are many new risks with CPs that should concern potential users.
Before trusting a particular provider, potential customers must perform adequate due diligence to make sure that the CP has the proper controls in place to protect their data and applications so they can obtain the required security and reliability. Fortunately, the competitive environment in which CPs operate provides selection options and, in many cases, more control than customers had with their own IT organization. Savvy cloud shoppers can play one provider against another to their advantage - if they know what to look for.
Customers must start by determining their overall system requirements including security. Then they can go to CPs and query them to make sure the customer's requirements are met. Asking the right questions and knowing what to look for in answers is the key to getting the expected level of security.
Who's On Your Side?
Another organization working on cloud security is the Trusted Computing Group (TCG) (see Sidebar). TCG has developed several standards that address cloud security and are in widespread use today, including Trusted Storage, Trusted Network Connect (TNC) and the Trusted Platform Module (TPM). See the TCG web site for more detailed information on these standards.
Cloud Computing Q&As
Figure 1: Security areas to investigate in cloud computing
One issue that must be considered for all of the questions is: "Should you use standards-based or home-brewed security solutions?" Home-brewed security solutions are not as secure as standards-based systems. This has been widely recognized in government and industry. That's why standard encryption algorithms like Advanced Encryption Standard (AES) and protocols like Transport Layer Security (TLS) are used. These standards have received years of thorough analysis and review. Furthermore, by using a standards-based security system, customers gain the flexibility and advantage of being able to move to a different provider if they choose to as they are not locked into one provider. This article identifies relevant standards as appropriate.
Another issue with cloud security is "How can I ensure that the CP fulfills their promises?" Make sure that the CP documents their promises in a Service Level Agreement, contract, or other written document.
1. Securing data at rest. How does the CP secure data at rest (on storage devices)?
2. Securing data in transit. How does the CP secure data in transit (within the cloud and on its way to and from the cloud)?
3. Authentication. How does the CP authenticate users?
4. Separation between the customers. How are one customer's data and applications separated from other customers (who may be hackers or competitors)?
Some CPs place all of their customers' programs and data in one big application instance and use custom-built code to prevent customers from seeing each other's data. This approach is fragile and ill-advised. First, a malicious party may find a bug in the custom code that lets them view data they should not be able to access. Second, a bug in the code can accidentally allow one customer to see data from another customer. Both these problems have occurred at CPs in the recent past. Therefore, VMs and virtual networks are the preferred form of customer separation.
5. Cloud legal and regulatory issues. How does the CP address legal and regulatory issues related to CC?
The CP must provide strong policies and practices that address legal and regulatory issues such as data security and export, compliance, auditing, data retention and destruction, and legal discovery (especially considering that one physical server may contain several customers' data). Each customer must have its legal and regulatory experts inspect CP policies and practices to make sure that they are adequate for the customer's needs.
6. Incident response. How does the CP respond to incidents and how are customers involved?
The Future of Cloud Security
With self-protecting data, intelligence is embedded within encrypted data. Data encrypted using this approach consults a policy when it is accessed and reveals its content only if the environment is verified as trustworthy. A trusted monitor is software installed at the CP's server that monitors CP operations and provides proof of compliance to the customer to verify adherence with established policies. Finally, searchable encryption allows computations on encrypted data so that data can be searched and indexed while staying encrypted for maximum security.
When the research and development to make these approaches practical for cloud computing are completed, the next step will be cloud provider implementation. With the integration of these technologies into their solutions, customers will have even more trust in their cloud provider.
Reader Feedback: Page 1 of 1
Latest Cloud Developer Stories
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
SYS-CON Featured Whitepapers
Most Read This Week